Some Hotmail and Outlook users have received a message from Microsoft that hackers have been watching their emails. They could not view the content of the mails, but they could view the subjects and addressees. A support partner’s hacked account is the culprit.

Microsoft confirms to TechCrunch that a number of accounts of Microsoft’s email services (@hotmail.com, @outlook.com, @msn.com and potentially .be variants) have been hacked. The problem came to light when a user made Microsoft’s e-mail public with apologies.

According to the mail, rogue hackers could access users’ e-mail addresses, their folders, subject lines and recipients’ e-mail addresses. The content of e-mails and potential attachments were not visible. The hackers didn’t get any login details and passwords.

No login and password data

Despite the fact that no login and password data were stolen, Microsoft recommends to choose a new password in their communication. The infringement covered the period from 1 January to 28 March.

The hackers got into the system by taking data from a support service. Once Microsoft became aware of the infringement, they immediately closed the affected accounts. The software giant was unaware of the hack all along. It does warn users to keep a closer eye on their inbox in the coming weeks for spam and phishing emails.

For the time being, a lot of questions remain about the scale of the hack. Microsoft has not released any further details about where most of the attacks took place. There are European accounts among them, which means that Microsoft must comply with the GDPR standards. It is possible that more information will follow soon.

Microsoft also does not explain how hackers have been granted access to a support service account and what action they have taken to prevent this from happening in the future. Hopefully in the next few days we’ll have more clarity on the matter. If so, we’ll update this piece.

Email content

This is the full email that affected users have received:

Dear Customer

Microsoft is committed to providing our customers with transparency. As part of maintaining this trust and commitment to you, we are informing you of a recent event that affected your Microsoft-managed email account.

We have identified that a Microsoft support agents credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account. This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments, between January 1st 2019 and March 28th 2019.

Upon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorized access. Our data indicates that account-related information (but not the content of any e-mails) could have been viewed, but Microsoft has no indication why that information was viewed or how it may have been used. As a result, you may receive phishing emails or other spam mails. You should be careful when receiving any e-mails from any misleading domain name, any e-mail that requests personal information or payment, or any unsolicited request from an untrusted source (you can read more about phishing attacks at https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/phishing).

It is important to note that your email login credentials were not directly impacted by this incident. However, out of caution, you should reset your password for your account.

If you require further assistance, or have any additional questions or concerns, please feel free to reach out to our Incident Response Team at ipg-ir@microsoft.com. If you are a citizen of European Union, you may also contact Microsofts Data Protection Officer at:

EU Data Protection Officer
Microsoft Ireland Operations Ltd
One Microsoft Place,
South County Business Park,
Leopardstown, Dublin 18, Ireland
dpoffice@microsoft.com

Microsoft regrets any inconvenience caused by this issue. Please be assured that Microsoft takes data protection very seriously and has engaged its internal security and privacy teams in the investigation and resolution of the issue, as well as additional hardening of systems and processes to prevent such recurrence.

Related: 400 million Office 365 accounts were vulnerable to hack

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.