A recently-disclosed Microsoft email-platform breach is reportedly much worse than previously thought, now impacting a large number of Outlook accounts as well as MSN and Hotmail email accounts.
On Friday, a slew of Outlook users reported receiving notifications from Microsoft. The notification warned of a data breach impacting accounts between Jan. 1 and March 28, but said that the breach only impacted “some” accounts, and that the content of emails and any attachments were not exposed.
However, a Sunday Motherboard report said that the breach is “much worse” than previously reported. According to Motherboard, the hackers were, in fact, able to access email content, and that the breach impacted a large number of Outlook, MSN and Hotmail email accounts.
According to a source who provided screenshots to Motherboard (which said that Microsoft confirmed that hackers gained access to some email content for about 6 percent of impacted non-corporate users), full email body content was exposed.
“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access,” a Microsoft spokesperson meanwhile said in a statement.
Microsoft said it notified the majority of those impacted that bad actors would not have had unauthorized access to the content of e-mails or attachments. But it said that it notified a small group, representing around 6 percent of the impacted customers, that the bad actors may have had unauthorized access to the content of their email accounts.
Microsoft in its notification said that the breach first occurred after a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access the victims’ email information, according to Microsoft. Hackers subsequently gained unauthorized access to email account-related information – including email addresses, folder names, email subject lines and recipient email addresses.
“Upon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorized access,” Microsoft said. “Our data indicates that account-related information (but not the content of any emails) could have been viewed, but Microsoft has no indication why that information was viewed or how it may have been used.”
Microsoft Outlook has been marred by vulnerabilities over the past year, including a patched bug that allowed attackers to steal victims’ Windows account password via previewed Outlook message; and a a remote code-execution vulnerability that could give an attacker control of a targeted system if they are logged into their Windows PC with administrator user rights.
Microsoft said that as a result of the breach, customers may received phishing emails or other spam mail.
“You should be careful when receiving any emails from any misleading domain name, any email that requests personal information or payment, or any unsolicited request from an untrusted source,” said Microsoft.
Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, said in an email that as a precaution, all Outlook users should change their passwords and secret questions, as well as passwords for any other accounts that sent, or could have sent, a password recovery link to their Outlook email.
“It is too early to attribute the attack due to lack of the information available,” he said. “It can well be a group of beginners who publicly sell email hacking services, as well as a nation-state hacking group targeting political activists or western companies.”
This article was updated at 10:49 a.m. with further comments from Microsoft.
Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.
A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.