Microsoft webmail services breached by hackers with support agent’s credentials
In an email sent to affected users, Microsoft said that the hackers were possibly able to access email addresses, subject lines of emails, folder labels, and the names of other email addresses that the user contacted. Fortunately, the content of emails, including attachments, were not compromised, nor were login credentials such as passwords.
The hackers were able to carry out the security breach, which happened from January 1 to March 28, by compromising the credentials of a customer support agent. Microsoft has identified the credentials that the hackers used and disabled them.
Microsoft warned that affected users may receive more spam emails, and may be on the receiving end of phishing attempts. Affected users should stay vigilant against such attacks, and are still advised to change their passwords even if the contents of their emails were not compromised because hackers may be able to use the addresses for identity theft purposes.
It is unclear how many users were hit by the data breach, and who the hackers behind the attack are. It appears that at least some of the affected accounts are from the European Union, as Microsoft is offering the contact information for the EU’s data protection officer.
“Please be assured that Microsoft takes data protection very seriously and has engaged its internal security and privacy teams in the investigation and resolution of the issue, as well as additional hardening of systems and processes to prevent such recurrence,” Microsoft said in the letter.
The attack on Microsoft webmail services follows a much bigger data breach that was discovered in January. Troy Hunt, the security researcher behind Have I Been Pwned, found what is now known as Collection No. 1. The assemblage of data contained more than 773 million records, including more than 21 million unique passwords, across 12 separate folders, with a total size of 87GB.
It might not be as bad as Collection No. 1, but people with Microsoft web-based email accounts should still follow the recommendation and change their password, just to be safe.