Microsoft Cloud Breach: Hackers Read Your Email for 90 Days

Hackers have been able to read the email of Microsoft’s free cloud customers—no password required. Yes, you read that right.

Incredibly, the perps got away with it for almost three months, from early January to late March. It appears they stole a master “golden” support credential—presumably via social engineering.

But Microsoft “takes data protection very seriously.” So that’s OK then.

On the face of it, this is palm-worthy to the max. In today’s SB Blogwatch, we can’t believe what we read.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: WT Riker’s big nope.

Face Meets Palm

What’s the craic? Joseph Cox brings the bad news—“Hackers Could Read Your Hotmail, MSN, and Outlook Email”:

 On Saturday, Microsoft confirmed … a hacker or group of hackers had … access to information related to customers’ email accounts such as the subject lines … and who they’ve communicated with. … But the issue is much worse than previously reported, with the hackers able to access email content from a large number of Outlook, MSN, and Hotmail email accounts.

Enterprise accounts that businesses pay for weren’t affected [but] normal consumer accounts were. … Microsoft said … the company’s “data indicates” email contents could not have been viewed. [My] source, however, said that the technique allowed full access to email content..

Yikes. Duncan Riley drives the point home:

 Why Microsoft would first deny that the content of victims’ emails had been accessed, then when confronted with evidence to the contrary change its statement, was not immediately clear. … Microsoft noted that it “regrets any inconvenience caused by this issue,” and that [we] should be “assured that Microsoft takes data protection very seriously.”

The next challenge will likely be the involvement of the European Union. … At least some of … those affected … were in the European Union, meaning that the data breach will fall under the purview of the [GDPR]. Because of that, an EU investigation is likely to follow into whether Microsoft complied with the regulation and whether it did its best to prevent the hack.

But how? Anne P. Mitchell, Esq. speculates thuswise:

 While Microsoft hasn’t yet shared exactly how the compromise happened, it’s quite possible that it was through social engineering. … One has to imagine that it would be orders of magnitude more difficult for a hacker to somehow breach Microsoft’s security, as compared to talking their way into it.

Anyone we know affected? Here’s shinratechlabs:

 My account was hacked as a direct result of this. Lost $25,000 in crypto.

Strange New IP is this really you? Click. New password? Sure? Click. Want to add 2FA so the real owner can’t get in? … Click.

Oh and since you’re basically a Hotmail employee today let’s just erase all emails that this happened today so when the real email user logs in there’s literally no trail of this happening.

I am sure I am not the only one. Crypto users were targeted.

Interesting theory. This Anonymous Coward asks the important question:

 Why should anyone at MS have access to your hotmail account in the first place, let alone at customer support?

ikr? And George Bevis agrees:

 I cannot imagine why Microsoft staff should ever be able to read body text of customers’ email. That they can is more troubling than that they were hacked.

But kerng adds a dash of nuance:

 Of course there has to be a way to access email—how would they troubleshoot or fulfill legal investigations?

The problem is that an attacker can follow the “legitimate” path – and such attacks should be audited and detected, which is what obviously failed here.

So Rich Mogull asks the other important question:

 So does this mean Microsoft wasn’t using MFA on their customer support portal? Or, if they were, it was compromised?

How does this happen to a major cloud provider in 2018/19?

But still, y’know, Hotmail. Evan Greer breaks the frame:

 Before you make a “people who have Hotmail deserve this” crack (which I get, i was tempted too,) let’s remember that everyone deserves privacy, safety, and security not just nerds with protonmail accounts.

Meanwhile, fsckin is in ur filesystem, checking ur inodes:

 When I worked for MSN/Hotmail around 2000-2003, there were dozens of helpdesk folks who had access to an admin panel to easily view any email. [They] could view/edit PII for anyone with very little … accounting.

It was protected by plaintext auth and open to the internet. One employee told me that he caught his wife cheating by reading her mail.

Obviously not much has changed.

And Finally:

Jonathan Frakes tells you you’re wrong for 47 seconds

Hat tip: Rob Beschizza

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Alex Proimos (cc:by)

Richi Jennings

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 453 posts and counting.See all posts by richi