Between 1 January and 28 March this year hackers were able to access a “limited number” of consumer Outlook.com, Hotmail and MSN Mail email accounts, Microsoft has confirmed.
News of the attack first emerged late last week when the company started sending emails to what seems to be a small subset of affected users which ended up being discussed on Reddit:
We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account.
Microsoft says that data access was limited:
This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments.
When Microsoft realised the stolen credentials were being abused, it disabled the access, the company added. The crucial sentence:
It is important to note that your login credentials were not directly impacted by this incident.
Microsoft still recommends that everyone receiving a notification should change these as a precaution, and also warned that affected users were now at risk of receiving phishing emails.
Contradicting some of this is a source who contacted Motherboard claiming that access was more extensive than has been admitted, specifically that the attackers were able to access email content.
When presented with the evidence, Microsoft said that “around 6%” of the impacted customers fell into this category, all of whom had been informed of the breach.
Right now, recommending that every one of Microsoft’s hundreds of millions of consumer email users reset their password seems like an over-reaction.
However, we’d still recommend that all users check their account to see whether they were contacted by Microsoft with an alert email.
And, as always, make sure you are practising good password hygiene – make each password different for every online account you have and consider using a password manager to help you generate and store them all.
Eric Lockwood
How can you contact the people who were effected. If they can’t get in to their email accounts. I have been trying for two weeks to get into my account by contacting Microsoft every way I knew how and their was no response. 12 years of personal information I am not able to recover. Warranties,pictures,airport credits all gone.
Paul Ducklin
As far as we can tell, this breach didn’t affect anyone’s ability to get into their accounts. Unauthorised users might have been able to winkle out some data from your account that they weren’t supposed to see, but they weren’t able to lock you out of your own account.
In other words, if you’re locked out of your account, the cause lies elsewhere…
Cody Mueller
I was affected by this. My email was taken over March 23rd and I have been locked out ever since. They Malicious user changed my recovery email, my recovery phone number and added Two-step verification onto my account now locking me out permanently. Microsoft’s response to this was to just shut my account down. Not to give me access back…. What the HELLL?
Paul Ducklin
Your account takeover sounds unrelated to this breach – but that’s no comfort to you now. I’mafraid don’t know how to action a claim with Microsoft to request a suspended account back… have any other readers done this? If so, how did you get along?
Patrick
This is bad for Microsoft. Since Gates retired, Microsoft has gone downhill. No one has a plan to resolve an issue or take ownership of a problem until an outsider points out their problems. Two years and Microsoft will be gone.
Joslyn Carter
Google does the same thing with Gmail. It’s wrong. If you tell them your account has been compromised, I believe that they should do all they can to return it and all of your content back to you. Not let a thief control it and do God knows what with it. That’s a form of burglary and identity theft. With theses companies’ current methods, if you try to retrieve the account then the thief will automatically know. And they need to stop making everything automated as well. People need jobs anyway. They need to hire teams of people. Some situations just require the aid of other people to fix them.
Anonymous
dont know if it is to do with the same problem , but i have been locked out of my email account and trying to get back in, seems impossible , even having trouble getting into a new account i set up
Matt Parkes
I appreciate your frustration, I have had a similar experience many years ago, however Sophos are not Microsoft customer services, however if they could help I am sure they would.
Brian Swanson
Yes my account has been hacked as I notice someone was sending emails to people I don’t know and to countries I’ve never been to. Some were coming back as unsent. That’s how I noticed. How do I stop this. I have changed my password to a more secure one already but what else can I do and what is Microsoft going to do?
Paul Ducklin
You’ve changed your password, which is good. Consider adding two factor authentication to your account to make it harder for the next lot of crooks to get in. Check any mail processing rules you have set up to make sure the crooks haven’t been messing with them (for example, to set mail filters that stop you seeing certain types of message, such as security warnings).
A hack where someone had broken right into your account is almost certainly unrelated to this particular story, but you should take the abovementioned precautions anyway!
Oh, and if you had used that password anywere else [a] change those passwords too and [b] never share passwords again!
HtH.
Nomphra
Did you actually have items in your Sent Items that were not sent by you yourself?
If the only evidence you have of an account takeover is that you’ve had some non-delivery reports, then that could quite possibly have been as a result of spammers spoofing emails with your email address. Your account may actually have never been taken over.
saywhat??
Tell me who do I sue to get paid. lol
Shawn Kalin
There are no ‘hackers’ at scale. Just bots running a program. capture IDs, use accounts for emails etc. Few arae looked at by a human.
Bell
My email went blank on Mac in every folder, but I still able to see my email on my iphone. Is this happen to any one? Have you hear or see this before? Do you know how to resolve it.?
Carol
Ive been trying to get through to the Microsoft helpline here in Australia but have had no hope. I cannot access my hotmail account that’s connected to my Facebook. I have not used this email account for a long time and have forgotten password. Can someone contact me in regards to how I can retrieve this email back?
Malcolm Longworth
How do I know messages apparently from Hotmail telling me there has been suspicious activity, and please update my credentials and Microsoft security alert etc are real and not hackers?
Paul Ducklin
Login to Outlook yourself, using a URL you have alreayd bookmarked, and review your account there. If you avoid links in emails – even if they later turn out to be legitimate – then you’ll never click a bogus one! If there is an alert, you should be able to find it yourself, using the email only as a reminder to go and check, not as a signpost telling you how to get there.