Microsoft Admits Breach, Hackers Accessed Users’ Outlook, Hotmail, and MSN Email for Months (Full Text of Microsoft Email Statement Included)

microsoft breach hacked
Share the knowledge

Microsoft has disclosed, over the weekend, that hackers have hacked into and accessed Microsoft users’ Outlook email, Hotmail email, and MSN email, over the course of several months, ending just last month (March of 2019).

In an email sent out to Hotmail, MSN and Outlook users on Saturday (full text of email below), Microsoft explained that “a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account.” While Microsoft hasn’t yet shared exactly how the compromise happened, it’s quite possible that it was through social engineering (for an example of how social engineering led to a company transferring millions of dollars to a scammer, see here).

In fact, given that it’s Microsoft, one has to imagine that it would be orders of magnitude more difficult for a hacker to somehow breach Microsoft’s security, as compared to talking their way into it.

Perhaps one of the most worrisome aspects of this breach is that the hackers were able to access the data in those accounts including not just the subject lines and ‘to’ email addresses in email that you sent, but also, at least in some cases, the text in the body of the email. This means that the hackers have a rich body of data from which to mine details that are useful in phishing and other forms of social engineering.

So, what should you do if you are still using Hotmail, Outlook or MSN, and so may well have been breached? First, according to Microsoft, login credentials were “not directly impacted” – however (also according to Microsoft), you should still change your password. Microsoft also says to be extra aware of any phishing emails – for example, you may get an email that seems to be from a company or friend to whom you sent email (and so the hackers have all of that information), but is in fact from the hacker, so be sure to view your email with extra scrutiny.

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

Here’s the full text of the email sent out by Microsoft over the weekend.

Full Text of Email from Microsoft Regarding Breach of Outlook, MSN, and Hotmail Email Systems

Microsoft is committed to providing our customers with transparency. As part of maintaining this trust and commitment to you, we are informing you of a recent event that affected your Microsoft-managed email account.

We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account. This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments, between January 1st 2019 and March 28th 2019.

Upon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorized access. Our data indicates that account-related information (but not the content of any e-mails) could have been viewed, but Microsoft has no indication why that information was viewed or how it may have been used. As a result, you may receive phishing emails or other spam mails. You should be careful when receiving any e-mails from any misleading domain name, any e-mail that requests personal information or payment, or any unsolicited request from an untrusted source (you can read more about phishing attacks at microsoft[dot]com/en-us/windows/security/threat-protection/intelligence/phishing).

It is important to note that your email login credentials were not directly impacted by this incident. However, out of caution, you should reset your password for your account.

If you require further assistance, or have any additional questions or concerns, please feel free to reach out to our Incident Response Team at ipg-ir@microsoft.com. If you are a citizen of European Union, you may also contact Microsoft’s Data Protection Officer at:

EU Data Protection Officer
Microsoft Ireland Operations Ltd
One Microsoft Place,
South County Business Park,
Leopardstown, Dublin 18, Ireland
dpoffice[at]microsoft[dot]com

Microsoft regrets any inconvenience caused by this issue. Please be assured that Microsoft takes data protection very seriously and has engaged its internal security and privacy teams in the investigation and resolution of the issue, as well as additional hardening of systems and processes to prevent such recurrence.

Get New Internet Patrol Articles by Email!

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

 


Share the knowledge

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.