[German]The access of unauthorized third parties to Microsoft’s email services such as outlook.com or hotmail.com was deeper than Microsoft first admitted. More details are slowly coming to light.
What Microsoft has admitted so far
On Sunday I had reported within the article Microsoft’s mail services (outlook.com, hotmail.com) hacked about the hack. Microsoft’s email services were hacked and the attackers could access email accounts (@msn.com, @hotmail.com, @outlook.com etc.) of users of these services. A user who is affected has opened a thread at reddit.com about that matter. Microsoft had confirmed the hack (see following picture), but according to the company’s statements it looked like only metadata could be seen by the hackers…
In other words, according to Microsoft, the hackers ‘only’ came to the e-mail addresses of the affected users, the folder names in the mailbox, the subject lines of e-mails and the names of other e-mail addresses with which the user communicates. That’s bad enough. However, Microsoft stressed that no access “to the contents of emails or attachments”, nor – as it seemed – to credentials such as passwords, was possible.
Microsoft has confirmed to TechCrunch that a “limited” number of users of Microsoft web email services such as @msn.com and @hotmail.com were hacked. However, between January 1, 2019 and March 29, 2019, one or a group of unauthorized persons had access to the compromised account of a Microsoft support agent.
This isn’t the end – also access to calendar/mails
osph Cox from Motherboard has now published the article Hackers Could Read Your Hotmail, MSN, and Outlook Emails by Abusing Microsoft Support, which draws a very different picture. In short, Microsoft didn’t tell the whole trutht. The hackers could misuse the Microsoft customer support portal through the compromised support employee’s account to read the emails and calendar data from ‘non-business’ accounts on Outlook, MSN and Hotmail.
In fact, this means that all private mail accounts at the three Microsoft email services mentioned were open to attackers. Only paying business customers were not affected by this hack – as we know today (don’t know, what comes to light in future). The source behind the hack probably described the attack to Motherboard, and also addressed the question of how he gained access to the accounts by misusing Microsoft’s customer support tool.
On Sunday Motherboard’s source repeated these details and provided more information and screenshots about what kind of access the hackers had to the Microsoft email accounts. Some of the screenshots made available to Motherboard show a panel with a list of account information that the hacker could access. It also showed access to the client’s calendar and date of birth. In the upper part of the window there are several sections such as “Profile”, “Mailbox Folder Statistics”, “Admin Center” and “Login History”.
After Microsoft had claimed that the attack had no access to the e-mail content, the source adds a proof of accessed e-mail bodies. The source confirmed to Motherboard that the attack technique allows full access to email content. On Sunday, the source provided another screenshot of another side of the panel, with the label “Email Body” and the text of an email edited by the source.
The source said that the Microsoft support account used belonged to a highly privileged user, which means he probably has more access to material than other employees. When Motherboard presented this screenshot to Microsoft, the company confirmed that it had also sent notification emails about such violations to some users. Microsoft states that this applied to about 6 percent of a small number of affected customers. However, the company remains silent about the absolute number of affected customers. A Microsoft spokesperson told Motherboard in a statement:
“We addressed this scheme, which involved a limited subset of consumer accounts, by disabling compromised credentials and blocking access by the perpetrators”.
Many open questions
Microsoft suggest for users to change their password for login to their e-mail account. But let’s make clear: Each user created a Microsoft account in Windows 8, 8.1 and 10 using Microsoft’s default process, has been assigned such a free e-mail account with the same password used for Windows login. Also onedrive and many other Microsoft services are associated to this account. A German user has listed several MS services associated to such an Microsoft account here. Are these MS services affected too – I would say yes.
Finally, the open questions remain: Is that really all, or will we soon receive the next bad news? And are European users affected? If so, what does this mean with regard to the GDPR? This is a GDPR incident that has to be reported to the authorities. For me, there is a simple conclusion: For online data it seems only a matter of time before it falls into the hands of non-authorized persons.