Hackers snab emails and more in Microsoft Outlook, Hotmail, and MSN compromise

Hackers snab emails and more in Microsoft Outlook, Hotmail, and MSN compromise

Long-time users of certain Microsoft products, such as Hotmail, MSN, and Outlook found they may be wrapped up in a hack grabbing snippets of email information, and in some cases, a little bit more.

Microsoft email services have been around forever in Internet time. Yet, many users still have a few Hotmail accounts rattling around. While most have long since moved on from MSN and Hotmail to Live and Outlook, all of these email accounts are still chugging away in one form or another.

Perhaps it’s an email you’ve pretty much grown up with and don’t want to let go. Maybe your old Microsoft-supplied email address is tied into large portions of the MS ecosystem, and you’d rather not start trying to reinvent the wheel. It could be you just appreciate the novelty of having a legacy email address, which is becoming rarer with each passing moment.

No matter your angle, and regardless of your stance on whether a Hotmail account is even a good idea anymore, people still make use of them.

This is where our tale of compromise woe begins.

What happened?

A customer support agent was compromised by hackers and used to gain access to certain pieces of email data. If your account was for business, you’re safe. If it was a free personal account, however, it might have been affected. As per the notification email from Microsoft, which appears to have gone out over the weekend:

Dear customer,

We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information without your Microsoft email account. This unauthorised access could have allowed unauthorised parties to access and / or view information related to your email account (such as your email address, folder names, the subject lines of emails, and the names of other email addresses you communicate with), but not the content of any emails or attachments, between January 1st 2019 and March 28th 2019.

While Microsoft stated that no email content was pilfered, a little while after their initial reveal, they had to update their warnings to state that about 6 percent of the total affected users had, in fact, had email body content accessed.

Microsoft hasn’t revealed how many users in total were affected during the attack, which took place between January 1 and March 28, but actual email content accessed is a significant step up in severity from subject lines and contacts.

What steps did Microsoft take?

Once the attack was brought to Microsoft’s attention, they shut it down quickly. Going back to their notification email:

Upon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorised access…it is important to note that your email login credentials were not directly impacted by this incident. However, out of caution, you should reset your password for your account.

They also advised users to be wary of phishing attacks and social engineering tactics in general. All the same, information is a little thin on the ground.

As TechCrunch notes, Microsoft hasn’t revealed if the support account was a third party or belonged to a Microsoft employee, or which regions were impacted—aside from a reference to the EU in one of the emails.

Additionally, Microsoft claims this took place over three months; an informant for Motherboard reckons it was more like six (which Microsoft denies).

Next steps?

At this point, we’d usually suggest security tips along the lines of changing your passwords, but this attack is tricky because it didn’t involve credentials. It seems no matter how locked down your account was, the method of attack allowed hackers to see what they wanted to see.

As Microsoft suggests, feel free to change your password if it makes you feel more reassured. If you want to boost your online webmail account security, there’s never been a better time to begin. You might also want to rethink hanging onto those dinosaur, legacy accounts, as they are huge targets for cybercriminals.

The biggest risk from this attack is most likely to the small number of users whose full email content was viewable by the hackers. With any luck, what they saw is hopefully nothing too sensitive. For our part, we recommend checking out our suggestions for spotting dubious emails to cover any potential social engineering or phishing attempts spurred by this attack.

It’s definitely bad, but it could’ve been a lot worse. The lesson we can hopefully learn from this one: Be thankful for small mercies.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.