Microsoft’s Outlook.com email service was compromised earlier this year, the software company has recently revealed, leading to hackers able to view sensitive user data.
According to Microsoft, the issue went unnoticed for three months before it closed the vulnerability.
Microsoft have downplayed the issue by stating that the information viewable was limited, but recent news has brought this claim into question.
What Happened?
Outlook was left vulnerable through a third-party support agent with compromised credentials — a customer support portal, according to one source.
Hackers had access to email information for some users between January 1 and March 28, 2019. Microsoft hasn’t revealed how many users were affected by the data leak, aside from stating that it is a “limited subset” of the total Outlook users.
What Details Could the Hackers See?
Not all email details were available to hackers, according to early reports. The vulnerable details definitely included email addresses, folder names, and email subject lines. Not included, according to Microsoft: Text from the body of any emails, any login information or passwords, and any attachments within any emails.
Here’s what Microsoft said:
“Our data indicates that account-related information (but not the content of any e-mails) could have been viewed, but Microsoft has no indication why that information was viewed or how it may have been used,” Microsoft told affected users in an email, The Verge reported.
However, that initial statement might have under reported the issue.
Could Hackers Access Email?
An anonymous source has told Vice’s Motherboard a different story, saying that the full text of email bodies were vulnerable in some cases.
“But the issue is much worse than previously reported, with the hackers able to access email content from a large number of Outlook, MSN, and Hotmail email accounts, according to a source who witnessed the attack in action and described it before Microsoft’s statement, as well as screenshots provided to Motherboard. Microsoft confirmed to Motherboard that hackers gained access to the content of some customers’ emails.”
When confronted with these claims by Motherboard, Microsoft told them hackers could indeed have accessed the body of emails received by “around 6 percent of a small number of impacted customers.”
According to Motherboard’s source, paying enterprise users’ accounts weren’t affected, while consumer users’ accounts were.
Granted, that anonymous source hasn’t been proven entirely accurate: They claimed the data breach left users vulnerable for “at least six months,” while Microsoft hasn’t backed down on their assertion that the data was only accessible from the beginning of January until March 28.
Whatever the case, there’s no ignoring how meaningful the information that leaked could be.
Are Outlook.com users now safe?
Microsoft has stated through a spokesperson that they’ve disabled any “compromised credentials” and “block[ed] the perpetrators’ access.”
It looks like Outlook.com users are now secure, for a certain definition of the word. At this point, we’ve seen so many high-profile data breaches in the past few years that a sense of fatigue has set in among some. Nevertheless: Outlook.com users should change their passwords, just as a precaution.
