Microsoft has admitted that its Outlook.com security breach was worse than the company initially revealed. The software maker started notifying some Outlook.com users late on Friday night that a hacker was able to access accounts for months earlier this year. Microsoft’s notification revealed that hackers could have viewed account email addresses, folder names, and subject lines of emails, but in a separate notification to other affected users the company also admitted email contents could have been viewed.
Microsoft has confirmed that a number of Outlook.com email accounts were accessible by hackers for the three months from January 1 to March 28, 2019. While the company will not reveal how many accounts were hacked this way, it says that the access was done via a support agent’s login credentials which were compromised.
Microsoft also says that no message data was read. The details exposed include the account holder’s email address, the subject headings of any messages, “and the names of other email addresses you communicate with,” continued Microsoft.
“This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account,” said Microsoft in an email sent to users,” but not the content of any emails or attachments.”
The company does not reveal how the breach was detected, but says that it was then stopped quickly. “Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorized access,” it says. “Our data indicates that account-related information (but not the content of any emails) could have been viewed, but Microsoft has no indication of why that information was viewed or how it may have been used.”
Microsoft is still refusing to reveal how many accounts were affected.
