Microsoft disputes Outlook data breach report

Microsoft warned Outlook users who may have had data compromised in an attack using customer support login credentials to access account information over the course of months.

Microsoft warned users of its web email services that accounts may have been compromised, and some sensitive data may have been accessed.

Beginning late Friday, Microsoft sent email messages to users of Outlook, Hotmail and MSN Mail, alerting them that an unauthorized third party gained partial access to Microsoft-managed accounts between Jan. 1 and March 28 of this year. According to Microsoft, the Outlook data breach was limited in scope. Microsoft initially said attackers potentially had access to email addresses of affected users and those they communicated with, folder names and subject lines of messages.

However, after TechCrunch first reported the story, Motherboard claimed to have seen screenshots from the threat actors involved in the Outlook data breach. The attackers claimed the issue persisted for as long as six months, and they were able to access email content from "a large number" of users.

A Microsoft spokesperson refuted the claim that the Outlook data breach spanned six months, calling it "inaccurate" and reaffirming the January-to-March timeline. Microsoft did admit attackers accessed more information for some users.

"Our notification to the majority of those impacted noted that bad actors would not have had unauthorized access to the content of emails or attachments. A small group ([approximately] 6% of the original, already-limited subset of consumers) was notified that the bad actors could have had unauthorized access to the content of their email accounts, and was provided with additional guidance and support. Out of an abundance of caution, we also increased detection and monitoring for the affected accounts," a Microsoft spokesperson wrote via email. "We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators' access."

Motherboard reported that the Outlook data breach was caused by attackers stealing credentials for a customer support account. Microsoft did not respond to questions asking to confirm this, nor did Microsoft say whether users with multifactor authentication (MFA) were safe from the attack.

Robert Vamosi, senior product marketing manager at ForgeRock, an identity and access management company in San Francisco, said MFA likely wouldn't have helped victims of the Outlook data breach, because "the malicious third party did not gain access to login credentials."

"However, people can sometimes include sensitive information in their emails, such as login credentials, PII [personally identifiable information] or even payment [and] bank account information," Vamosi said. "In that case, MFA should be enabled on those compromised services, along with changing the current password, to prevent any future attempts at account hijacking."

George Cerbone, principal solutions architect at One Identity, based in Aliso Viejo, Calif., noted that if the attack was caused by stolen support credentials, Microsoft makes products that could have protected that account from being compromised.

"Microsoft could have followed their own advice and instituted what they suggest to other customers, called a Privileged Access Workstation. This would put in a series of controls that the employee would have to follow when they need to access sensitive information," Cerbone said. "Another option, which is something that Microsoft also offers, is a PIM [privileged identity management] tool. This tool would allow employees to request access to do certain privileged functions for a period of time. Once that time has expired, it would pull back those privileges until needed again."

Dig Deeper on Application and platform security