How you can protect your data after Microsoft's Email Hack
Hackers using stolen credentials have raided Microsoft's tech support desks since the beginning of the year and stolen personal email information of thousands of customers using Hotmail and other webmail services.
Microsoft has confirmed that the unidentified hackers accessed a range of information from a subset of users with accounts at hotmail.com, outlook.com and msn.com between January 1 and March 28, according to an email describing the breach sent to TechCrunch, the online tech publisher.
The breach included e-mail addresses, folder names, subject lines and names of recent recipients - and even full e-mail content for about 6% of the violated accounts, according to Microsoft. Security experts said a couple of quick fixes by Microsoft's customers would help protect their emails.
The massive theft points to the dual challenges to digital world consumers as they seek to resolve complex technical support issues and to Microsoft and other Silicon Valley titans as they try to gather enough information from customers to provide sufficient tech support.
“Within the security community, customer and internal support mechanisms are increasingly seen as a potential source of exposure,” says Lily Hay Newman of Wired magazine. “On the one hand, support agents need enough account or device access to be able to actually help people. But as the Microsoft incident shows, too much access in the wrong hands can cascade into a dangerous situation.”
After the breach, Microsoft initially denied that e-mail texts had been accessed and told customers that it had responded by shutting down the access points to the accounts. “We addressed this scheme by disabling the compromised credentials to the limited set of targeted accounts, while also blocking the perpetrators’ access,” Microsoft wrote in an email to account holders. “Out of an abundance of caution, we also increased detection and monitoring to further protect affected accounts.”
But investigative reporting by Motherboard.com, a unit of Vice magazine, quoted unidentified sources who said the hackers gained full access to email content for some customers. The hackers used a Microsoft support account that belonged to a high-privileged user, the sources were quoted as saying, meaning the hackers likely had more access to material than other Microsoft employees.
Microsoft initially minimized the extent of the breach, describing it as affecting a “limited number of customer accounts.” But the company later revised its statement after the Motherboard report, confirming that the hackers gained access to about 6% of an unidentified number of customers. “That percentage is without perspective, because the total number of accounts affected has not been released,” said Jeremy Kirk, an analyst with Bank Info Security. “Microsoft's email services are used by hundreds of millions of people.”
The hackers broke into a customer support account at Microsoft where they they stole information from email accounts, including subject lines and addresses of email recipients. This information appears to have been used to access so-called 'remove-activation locks' on stolen iPhones, according to Motherboard, which effectively unplugged the phones from accompanying iCloud accounts. Microsoft warned customers that the data accessed could also be used for targeted phishing.
Security experts, however, say that this and similar breaches would have been avoided if Microsoft had required customer support accounts to use a two-factor authentication. Such authentication is also lacking in many other workplaces, making customer support one of the highest-risk areas in data security.
"We do a lot of consulting engagements where we go up to any machine at a company, call up the support desk, and then can grab the support engineers' credentials when they connect to the machine and use them to access other servers — like the CEO's server," Dave Aitel, the chief security technology officer at the secure infrastructure firm Cyxtera, told Wired. "In general, support is a big security hole waiting to happen."
In the meantime, the best step forward for Microsoft customers is also one of the easiest fixes, according to Mark Hachman, the senior editor for PCWorld.
“If you use one of Microsoft’s affected services, consider changing your password anyway," he said. "The scope of the breach may widen. Also, dig down into your spam folder. While it’s unlikely that an email of this importance was buried, it’s possible, and you’ll want to know about it.”