Microsoft has confirmed that hackers were able to access customers’ web-based email accounts for a period of three months at the beginning of the year. Between January 1 and March 28, unknown hackers hit the accounts of various Microsoft email services.
The company is in the process of sending notifications to those who have been affected by the issue and it recommends users change their account passwords.
Microsoft says that a “limited subset” of consumer account where affected, and the hackers have now been stopped. The attack affected @msn.com, @hotmail.com and @outlook.com email addresses, but Microsoft is keen to stress that while the hackers may have been able to access email addresses, folder names and email subject lines, the content of emails — including attachments — was not accessed.
TechCrunch shares an email sent out to users by Microsoft:
Microsoft is committed to providing our customers with transparency. As part of maintaining this trust and commitment to you, we are informing you of a recent event that affected your Microsoft-managed email account.
We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account. This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments, between January 1st 2019 and March 28th 2019.
Upon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorized access. Our data indicates that account-related information (but not the content of any e-mails) could have been viewed, but Microsoft has no indication why that information was viewed or how it may have been used. As a result, you may receive phishing emails or other spam mails. You should be careful when receiving any e-mails from any misleading domain name, any e-mail that requests personal information or payment, or any unsolicited request from an untrusted source (you can read more about phishing attacks at https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/phishing).
It is important to note that your email login credentials were not directly impacted by this incident. However, out of caution, you should reset your password for your account.
Microsoft has not said how many accounts were affected by the incident, nor has it given any indication of who may have been responsible. In addition to the email sent to customers, Microsoft’s only further comment is a statement in which it says: ” We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access”.