Microsoft has admitted that its Outlook.com security breach was worse than the company initially revealed. The software maker started notifying some Outlook.com users late on Friday night that a hacker was able to access accounts for months earlier this year. Microsoft’s notification revealed that hackers could have viewed account email addresses, folder names, and subject lines of emails, but in a separate notification to other affected users the company also admitted email contents could have been viewed.
Vice’s Motherboard revealed on Sunday that Microsoft sent a different notification message to around six percent of the affected Outlook.com accounts, and that the company only admitted this when it was presented with screenshot evidence that the breach was far worse for those customers. Microsoft discovered that a support agent’s credentials were compromised for its web mail service, allowing unauthorized access to some accounts between January 1st and March 28th, 2019.
Hackers were able to access email accounts for months
Motherboard claims hackers have been able to access some accounts for up to six months, and have used the access to reset iCloud accounts linked to stolen iPhones. A Microsoft spokesperson tells The Verge “the claim of 6 months is inaccurate,” and pointed towards the company’s notification that mentioned access between January 1st and March 28th, 2019. Microsoft also clarified that the vast majority of Outlook.com accounts that were affected received the notification that The Verge published over the weekend.
“Our notification to the majority of those impacted noted that bad actors would not have had unauthorized access to the content of e-mails or attachments,” says a Microsoft spokesperson in a statement to The Verge. “A small group (~6 percent of the original, already limited subset of consumers) was notified that the bad actors could have had unauthorized access to the content of their email accounts, and was provided with additional guidance and support.”
Microsoft is still refusing to reveal how many accounts were affected.