Between 1 January and 28 March this year hackers were able to access a “limited number” of consumer Outlook.com, Hotmail and MSN Mail email accounts, Microsoft has confirmed.
News of the attack first emerged late last week when the company started sending emails to what seems to be a small subset of affected users which ended up being discussed on Reddit:
We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account.
Microsoft says that data access was limited:
This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments.
When Microsoft realised the stolen credentials were being abused, it disabled the access, the company added. The crucial sentence:
It is important to note that your login credentials were not directly impacted by this incident.
Microsoft still recommends that everyone receiving a notification should change these as a precaution, and also warned that affected users were now at risk of receiving phishing emails.
Contradicting some of this is a source who contacted Motherboard claiming that access was more extensive than has been admitted, specifically that the attackers were able to access email content.
When presented with the evidence, Microsoft said that “around 6%” of the impacted customers fell into this category, all of whom had been informed of the breach.
Right now, recommending that every one of Microsoft’s hundreds of millions of consumer email users reset their password seems like an over-reaction.
However, we’d still recommend that all users check their account to see whether they were contacted by Microsoft with an alert email.
And, as always, make sure you are practising good password hygiene – make each password different for every online account you have and consider using a password manager to help you generate and store them all.