Microsoft has confirmed that hackers had access to a number of users’ online accounts across, Outlook, Hotmail and MSN services for the past three months.
According to Microsoft, the hack took place between January 1st and March 29th, after a hacker, or a group of hackers, compromised the login credentials of a customer support representative.
The credentials gave hackers unauthorised access to some users’ email information, including email addresses in messages, message subject lines, and folder names inside accounts.
However, the content of emails or attachments remained inaccessible, Microsoft said in an email sent to users.
“Upon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorised access,” Microsoft said.
Microsoft said it didn’t know why it occurred but warned customers that they may receive phishing emails or other spam mail as a result of the breach.
Microsoft claims that the hackers weren’t able to any steal any personal information, but has advised users to change their Outlook passwords as a precautionary measure.
However, website Motherboard cited an anonymous source as saying that the hackers were, in fact, able to access data on some users, including the content of their emails.
According to the motherboard report, hackers were able to access more data from users with free accounts, while enterprise accounts that businesses pay for, were not affected.
Motherboard admitted this was the case for around 6% of a small number of users that were affected by the breach. It said those users had also been notified.
“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access,” a Microsoft spokesperson told Motherboard.
Microsoft didn’t specify how many users were affected in total.
The data breach seems to be insignificant compared to recent security incidents involving companies like Facebook, said Ilia Kolochenko, the founder and CEO of security firm ImmuniWeb.
“Compromise of privileged accounts is a widespread and effective method among cybercriminals to get to the crown jewels at high speed and low cost. It is, however, quite surprising that such a reputable company as Microsoft reportedly has not reacted to the anomalies for as long as three months.
“Continuous monitoring of privileged accounts is quintessential to ensure data security and compliance. Moreover, nowadays, with emerging machine learning technologies it has become a pretty easy task is properly implemented.
“It is too early to attribute the attack due to lack of the information available. It can well be a group of beginners who publicly sell email hacking services, as well as a nation-state hacking group targeting political activists or western companies. As a precaution, all Outlook users should change their passwords and secret questions, as well as passwords for any other accounts that sent, or could have sent, a password recovery link to their Outlook email.”