Introduction
Microsoft has been hit by a data breach which, they say, lasted from the 1st of January 2019 until the 28th of March 2019. The breach affects customers of email services, such as MSN, Hotmail and Outlook, but only affects free, personal accounts, and not enterprise users of these services.
Details of the Attack
According to a customer letter sent from Microsoft to a reader of Techcrunch, the breach occurred when the credentials of a Microsoft support agent were compromised. This allowed unauthorised parties access to email data, including subject lines, addressees, folder names and the email address of the user. In other words, email metadata. Microsoft originally assured users that it was impossible for the unauthorised party to view the content of emails.
In a leak published by Motherboard, it appears that the extent of the breach is worse than Microsoft had claimed, creating distrust in their incident response procedures and overall transparency. Motherboard’s source provided screenshots of an admin panel that the customer support agent may have used. These screenshots showed that support agents could, in fact, see more email account metadata than had been initially stated, and privileged agents could view the contents of emails. When provided with this information, Microsoft stated that the contents of emails of around six percent of the impacted customers could be read by the unauthorised party, but declined to say the total number of impacted customers.
Our Advice
It is difficult to offer cyber security advice to readers regarding this issue. Microsoft has said that the credentials of individual users of their email services have not been compromised, but they still recommend those users who are concerned about the breach change their password. If customer support agents are able to read the content of emails then a password change will not prevent this. However, given that details of the attack are still not being made public, we would echo this recommendation from Microsoft and urge users to change their passwords.
More importantly, it is likely that sophisticated phishing attempts will result from this breach, so readers should be wary of emails which originate from unusual domains or contain unsolicited requests. Finally, consider closing old email accounts which are no longer required. Many of the affected email services are relatively old and have been superseded, and older services are an easier target for cyber attack.