Microsoft has declined to disclose how many users were affected by the breach, though the knock-on effects can be significant. Here’s what professionals should do in the wake of the breach.
Microsoft notified users of Outlook.com of a security breach that exposed account information on Friday, following the compromise of an account belonging to a customer support representative. Though Microsoft disabled the account upon discovery of the breach, there is the potential that hackers accessed the contents of Outlook.com users’ accounts. (The breach does not extend to desktop users of Outlook with self-hosted email; only Outlook.com, formerly Hotmail, is affected.)
“This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments,” Microsoft said in the email sent to customers, according to ZDNet.
SEE: Google’s big Gmail redesign: A look at the new features (free PDF) (TechRepublic)
Former Microsoft engineers contested that claim, according to ZDNet’s Catalin Cimpanu, with one former engineer indicating that support representatives can see how many emails you have, email content, and the last person you sent a message to. Microsoft confirmed to ZDNet that around 6% of those who received a notification have had the content of their accounts accessed by hackers.
Microsoft has not revealed how many accounts were affected. Similarly, the length of the breach is unclear—Microsoft claims only three months, though a report from Motherboard indicates it was “up to six months,” with hackers using account access to reset iCloud accounts linked to stolen iPhones. Considering Microsoft’s reticence to admit that users had email accessed until evidence was provided contradicting that claim, their statements on the breach should be taken with a grain of salt.
How to secure your Outlook account
First, changing your password following a breach—though passwords are not visible to support agents, and therefore the hackers in this breach—rarely makes users less secure, unless a weak password is chosen. Though it is practically boilerplate advice, it is still effective. Similarly, accounts linked to your Outlook.com account may have been compromised—changing the password there is similarly advisable.
Second, consider not using Outlook.com. In 2013, The Guardian reported that Microsoft provides pre-encryption access to messages sent through the service to the NSA, and has helped the agency in circumventing encryption for other Microsoft services. Microsoft’s recent track record for security and privacy has been rather spotty, particularly with ongoing controversy surrounding data collection in Windows 10.
An ignominious anniversary
Microsoft Hotmail, the former name of Outlook.com, has a generally poor history of security. In 1999, a vulnerability was discovered that allowed anyone to access an arbitrary Hotmail account by logging in with the password “eh”, due to poor programming practices.
Likewise, In 2001, a similar exploit allowed users to retrieve emails from any other Hotmail account by modifying the URL to include the target’s username and a message number. After disclosure, it took Microsoft three weeks to patch the issue.
These decades-old incidents are not a statement of Outlook.com’s security today—practices for and education in network security among programmers have changed significantly since then—though they do highlight the inherent risk of cloud-based email services.