Hackers reportedly compromised a Microsoft customer support account, exposing its credentials, and by extension customer email on Microsoft web-based email services like Hotmail, Outlook.com, and MSN.
TechCrunch reported over the weekend that Microsoft is sending emails to affected users, warning them of the issue. Presumably, those users who have not been contacted are unaffected. (Microsoft hasn’t said how many accounts were affected, nor did the company identify the specific services affected.)
At the time, Microsoft believed the attackers would only be able to read header information, such as the subject line or the address from which the email was sent. On Monday, however, Motherboard reported that email content was accessible as well. Microsoft then confirmed to Motherboard that a small number of users—six percent, according to Motherboard—had received email notifications stating that their email content had been impacted.
“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access,” a Microsoft representative said in an email. She also confirmed that a “small group,” the 6 percent of the original Motherboard cited, was notified that the bad actors could have had unauthorized access to the content of their email accounts, and was provided with additional guidance and support.
According to the original email sent to users, Microsoft said that the login information of individual users was not at risk; however, the company warned that attackers could send phishing emails or other attempts to either trick or pry personal information away from users. Microsoft recommended that users change their passwords as a precaution.
Unfortunately, if a user was one of the small number of users whose emails were directly accessed, that means that any personal information communicated during the January 1 – March 28 timeframe is potentially compromised.
“Please be assured that Microsoft takes data protection very seriously and has engaged its internal security and privacy teams in the investigation and resolution of this issue, as well as additional hardening of systems and processes to prevent such recurrence,” Microsoft’s original email stated, as reported by a user on Reddit.
What this means to you: If you use one of Microsoft’s affected services, consider changing your password anyway—the scope of the breach may widen. Also, dig down into your spam folder. While it’s unlikely that an email of this importance was buried, it’s possible, and you’ll want to know about it.
This story was updated at 12:56 PM with additional comment from Microsoft.