Users of Microsoft email services such as Hotmail, MSN and Outlook have been warned to be vigilant after the tech giant admitted some user accounts were compromised.
Over the weekend, TechCrunch reported that the accounts of some users of web email services managed by Microsoft, including @hotmail.com and @msn.com, had been compromised.
An email was sent out to affected users last week, saying adversaries would have been potentially able to access information such as their email address, contacts’ email addresses and subject lines. However, the notification also said that potential attackers couldn’t view the content of actual emails or attachments.
The breach, which took place for three months between January 1 and March 28, came after a customer support agent’s credentials were compromised.
But then things got confusing. Motherboard reported that the issue is in fact worse than originally thought: Hackers were able to access email content from a large number of Hotmail, MSN and Outlook accounts.
Motherboard attributes this information to a source who had witnessed the attack in action. The source told the site that hackers were able to access any email account apart from corporate level accounts. The source also demonstrated that adversaries were able to see a user’s calendar and birth date.
What does Microsoft say?
Microsoft wasn’t particularly clear at first, but it did reveal some information to me in a statement over email. “We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access,” a Microsoft spokesperson told me.
The tech giant says its notification to the majority of those impacted noted that bad actors would not have had unauthorized access to the content of emails or attachments.
“A small group (~6% of the original, already limited subset of consumers) was notified that the bad actors could have had unauthorized access to the content of their email accounts, and was provided with additional guidance and support,” according to the Microsoft spokesperson.
Microsoft has increased detection and monitoring for the affected accounts and recommended that users change their passwords. The firm told TechCrunch: “You should be careful when receiving any emails from any misleading domain name, any email that requests personal information or payment, or any unsolicited request from an untrusted source.”
What is the impact?
It looks like some users might have been affected by the first reported compromise and a smaller amount by the second. Anyone who has received a breach notification from Microsoft will be impacted.
The first comment from Microsoft said only high-level information was affected. This would have shown a hacker who the person was communicating with, the subject of the email and the birth date of the individual. This is fairly limited information which would be difficult to act on, says Andrew Martin, CEO and founder of cybersecurity company DynaRisk. “These people could be targeted with phishing scams pretending to be Microsoft support to encourage the person to install a virus on their PC – which could hold the person to ransom or lead to identity theft.”
However, if hackers could access email content, it is much more concerning. “There may have been additional information in those support tickets that could be used against the victim,” says Martin.
“Again, the cyber criminal could send scams to the victim tailored to the information they found inside the communication with Microsoft. For example, if the hacker knew the person was having a problem say upgrading to Windows 10, they could send the victim a ‘free Windows 10 upgrade’ email which would contain a virus.
“The attacker could also send the person a ‘Microsoft Password Reset’ email which could trick the user into giving up username/password details so the adversary could log into their social media, banking or other accounts to commit identity theft.”
Therefore, the affected should be extra vigilant, particularly when downloading files and clicking on links, says Dave Palmer, director of technology at Darktrace.
So does this breach fall under the EU Update to Data Protection Regulation (GDPR)? If details such as names and dates of birth were in fact compromised, yes.
If accounts of European citizens were compromised and the breach contained personally identifiable information, which seems to be the case, this “definitely falls under the scope of GDPR”, says Felix Rosbach, product manager at Comforte AG.
And of course, this wouldn’t be the first time the company has had a run-in with EU data protection regulators. Back in 2018, it was accused of collecting email data through some of its Office apps in contravention of GDPR.
There is often a perception that if users’ financial information is not compromised, the breach isn’t that serious, says Matthew Overton, corporate and commercial partner at law firm Joelson. “However, leakage of other information types – as is the case here – can leave people open to real risk. At the most extreme end is blackmail, or password reset on another account which goes into Hotmail and is then read and stolen by the hackers who gain control of that other account.”
From a legal perspective, any individual who thinks they have suffered a loss has a right to seek compensation from Microsoft, Overton says. “They don’t need the Information Commissioner’s Office (ICO) to find against Microsoft first in order to succeed, although that would help. Consumers can also take steps to try and compel the ICO, or any other local EU regulator to investigate under the GDPR.”
What should you do?
Many users of Microsoft services such as Hotmail and MSN told me they use their accounts purely for junk mail. However, if your account is connected to other details in any way, it makes sense to improve your security. Change your password; it’s easy and doesn’t take long. Perhaps close down accounts that have been sitting unused for months or years.
Affected users – those with Outlook.com addresses, and even older Hotmail and MSN addresses – should check what sensitive information can be found in their accounts, and should consider the possibility that a malicious third party has at some point had access to this information, says Oz Alashe, CEO of CybSafe.
It goes without saying that if you have been notified of the breach you must change your password immediately. This is especially important if you use this password elsewhere.
“Though passwords haven’t been exposed, affected users should change their passwords regardless. This also applies to passwords of other accounts, such as Facebook, Twitter, Amazon, and so on, if these use the same combination,” Alashe says.
Lastly, look out for phishing emails. Always be cautious when you receive an email asking you to change your password or click on a link to enter credentials. Look at the email sender: is the name legit? In addition, hover your mouse over links and see where they lead. And it’s never a good idea to open attachments if you weren’t expecting them or don’t know where they come from.
For any further information on this topic, please contact Matthew Overton on 020 7307 2305.
“Once again, we had the pleasure of working with the team at Joelson – this time starting and completing the transaction in 5 days! Nothing too difficult for you guys. Many thanks and brilliant work.”
CEO Clarion Events