Posted on April 15, 2019 at 3:43 PM
Despite Microsoft downplaying the breach, sources within the company have provided proof that Microsoft’s customer service portal has allowed hackers almost unlimited access to all of the consumer-facing email services under the company umbrella.
When a group of hackers compromises an email account it can lead to a breakdown of every service in your life. When hackers get into an organization, it can lead to an even bigger break down of services across the board.
This is what has happened to Microsoft. Hackers managed to abuse the company’s customer support portal to the extent that they were able to read any email account that was not in the enterprise domain.
Microsoft confirms breach
On Saturday, April 13th, Microsoft finally copped to a breach that had been public knowledge since March. It confirmed to TechCrunch that a “limited” number of people had been affected by the breach. Users with emails managed by Microsoft, mostly @hotmail.com and @msn.com addresses were the “limited” sub-set of user affected.
Microsoft said that they had addressed the issue by disabling the compromised credentials which then limited the attackers’ access. According to Microsoft, the hackers had access to the users’ email address, folder names, subject-lines of emails and names of others with whom the account had contacted.
Microsoft is adamant that the contents of the emails, including attachments, were not accessible via its customer service portal. The company is also adamant that credentials such as the passwords to the accounts were unaffected. However, they have still recommended to all users that were potentially affected by the breach to change their email passwords.
The story in full according to Microsoft
Microsoft issued a letter to users that stated what had happened. In the letter, they said that the breach had been going on between the 1st of January to the 28th of March of this year. The hackers were able to gain access to the system with credentials stolen from a Microsft customer support agent.
Microsoft said that once the compromised credentials had been identified, they were then disabled immediately. While the company has said that they do not know what data was accessed by the hackers or what the hackers intended to do with it, they do warn users that they would be receiving more phishing and spam emails as a result of this breach.
In a separate letter to TechCrunch, the publication said that Microsoft had told them that they will be increasing detection and monitoring on the accounts that were affected. It is also important to note that no enterprise accounts were affected in any way.
Microsoft keeping mum on important details
While the statement from Microsoft did clear up a lot of the debacle, there was certain information that was conspicuous by its absence. Microsoft did explain how it discovered the breach for one thing. They did not confirm when they found out either. What is known is that an anonymous source fed information to Vice’s Motherboard section about a potential breach in Microsoft’s email services.
Motherboard says that the source had provided proof and described the attack as an abuse of the customer support tool. A day before Microsoft released their statement, the source reiterated their stance on the issue. Motherboard’s source, who has since been proven worthy, has stated that attackers had access to the content and attachment of emails, in direct contrast to what Microsoft told users of its services.
Another important fact that was absent from Microsoft’s is where the attacker was able to gain the credentials. Were they from a Microsoft employee or a third-party that provided support services on behalf of Microsoft? These details would have shed light onto just how much culpability Microsoft had in the breach and what we could expect from the company in the future with regards to the safe-keeping of data.
It is also telling that, according to Motherboard’s source that Microsft has such detailed access to the contents of your emails, though this is definitely a topic for another, more detailed piece.