Level 22
Microsoft has started notifying some users that a hacker was able to access accounts for months earlier this year. The software giant discovered that a support agent’s credentials were compromised for its web mail service, allowing unauthorized access to some accounts between January 1st and March 28th, 2019. Microsoft says the hackers could have viewed account email addresses, folder names, and subject lines of emails, but not the content of emails or attachments.

It’s not clear how many users have been affected by the breach, or who was involved in obtaining access to email accounts. “Our data indicates that account-related information (but not the content of any e-mails) could have been viewed, but Microsoft has no indication why that information was viewed or how it may have been used,” says Microsoft in an email to affected users.

The hackers weren’t able to steal login details, or other personal information, but out of caution Microsoft is recommending that affected users reset their passwords. “Microsoft regrets any inconvenience caused by this issue,” says the security notification. “Please be assured that Microsoft takes data protection very seriously and has engaged its internal security and privacy teams in the investigation and resolution of the issue, as well as additional hardening of systems and processes to prevent such recurrence.”

This security incident comes weeks after a former security researcher pled guilty to hacking into Microsoft and Nintendo servers. Microsoft’s Windows development servers were breached for a number of weeks in January, 2017, allowing hackers across Europe to access pre-release versions of Windows.

The Verge has reached out to Microsoft to confirm how many accounts were affected by this recent breach, but the company did not respond in time for publication.



Level 20
Ouch. I know Microsoft is super security-oriented.

And this is the security challenge sometimes. It was a Microsoft vendor that got penetrated and enabled the limited disclosure.

So where vendors and 3rd parties are involved in support operations... the security posture is then downgraded to the weakest link in the chain.

The way that Microsoft worded the letter, it seems that they did well in the design of access for that vendor -- allowing only minimal access to the data without allowing the vendor the ability to open the email.