searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
April 16, 2019
Share

Hackers used credentials of a Microsoft Support worker to access users’ webmail

On Friday, an unknown number of customers of Microsoft’s webmail services (Outlook.com, Hotmail, MSN Mail) received a notice from the company telling them that attackers had access to their email account for three months.

microsoft webmail services unauthorized access

“We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account,” Microsoft told the victims.

“This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of the other e-mail addresses you communicate with), but not eh content of any e-mails or attachments, between January 1st 2019 and March 28th 2019.”

Even though the affected users’ login credentials weren’t compromise, Microsoft advised them to reset their account password just in case.

On Saturday, Microsoft confirmed to TechCrunch that a “limited” number of users were affected, that it didn’t known what data was viewed by hackers or why, and that no enterprise customers were affected.

New developments

But, according to a Motherboard source who purportedly witnessed the attack and screenshots he or she provided, the attackers were able to see the content of some of the affected customers’ emails. Also, that the attackers gained and kept access to the abused Microsoft’s internal customer support portal for at least 6 months.

Microsoft has confirmed to the publication that the attackers did have access to the emails of some 6 percent of the impacted customers (the total number has not been shared) and that those customers were notified of this. But the company still maintains that the attackers had access only since January 1st.

Motherboard’s source said that the attackers could access free, but not paid user accounts, and that the hackers were after accounts of iPhone owners whose devices were stolen and had to be de-coupled from iCloud accounts in order to be reset and sold on. They used these targets’ compromised email account to send and confirm password reset requests for iCloud accounts.

ImmuniWeb CEO Ilia Kolochenko advised all Outlook account owners to change their passwords and secret questions, as well as passwords for any other accounts that sent, or could have sent, a password recovery link to their Outlook email.

“Compromise of privileged accounts is a widespread and effective method among cybercriminals to get to the crown jewels at high speed and low cost. It is, however, quite surprising that such a reputable company as Microsoft reportedly has not reacted to the anomalies for as long as three months,” he added.

“Continuous monitoring of privileged accounts is quintessential to ensure data security and compliance. Moreover, nowadays, with emerging machine learning technologies it has become a pretty easy task is properly implemented.”

More about
  • account hijacking
  • credentials
  • email
  • email security
  • Microsoft
  • privileged accounts
Share this

Featured news

  • Thousands of unpatched VMware ESXi servers hit by ransomware via old bug (CVE-2021-21974)
  • While governments pass privacy laws, companies struggle to change
  • What a perfect day in data privacy looks like
Guide: How virtual CISOs can efficiently extend their services into compliance readiness

Sponsored

eBook: 4 ways to secure passwords, avoid corporate account takeover

2022 Cloud Data Security Report

Don't miss

Thousands of unpatched VMware ESXi servers hit by ransomware via old bug (CVE-2021-21974)

While governments pass privacy laws, companies struggle to change

Trends that impact on organizations’ 2023 security priorities

What a perfect day in data privacy looks like

Patch your Jira Service Management Server and Data Center and check for compromise! (CVE-2023-22501)

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us