Earlier this month, Motherboard broke the news that hackers were not only able to access Outlook users’ email metadata as previously reported, but also email content. The breach centered around a hacker getting hold of a Microsoft customer support worker’s login credentials; from there, the hacker could dive into the content of any non-corporate Outlook, Hotmail, or MSN account, Motherboard found.
Now, multiple victims have come forward to flag what they believe may be one of the motivating reasons behind the breach: emptying peoples’ cryptocurrency accounts.
“The hackers also had access to my inbox allowing them to password reset my Kraken.com account and withdrawal [sic] my Bitcoin,” Jevon Ritmeester, a Microsoft user that the company alerted to the data breach, told Motherboard in an email, referring to popular cryptocurrency exchange Kraken.
For verification purposes, Ritmeester provided Motherboard with the breach notification emails he received from Microsoft, as well as a screenshot showing what he said was an email forwarding rule the hackers set up: anytime an email mentioned the term “Kraken,” his account would automatically forward it to a Gmail address presumably controlled by the hackers.
That would include emails such as password reset and Bitcoin withdrawal requests. Indeed, Ritmeester only found someone had requested both of those after checking the trash of his email account, he wrote in a recent post on the tech forum Tweakers. In the post, he added that he lost just over 1 bitcoin, or around $5,000 at the current exchange rate.
It appears Ritmeester isn’t the only person who hackers stole cryptocurrency from due to the Microsoft breach.
“My account was hacked as a direct result of this,” Reddit user shinratechlabs wrote earlier this month, adding that they lost “25,000 in crypto,” although it’s not clear what currency they may be referring to, fiat or otherwise.
“Same exact for me only a lot less funds stolen, sucks,” another Reddit user, mickey_ficke, chimed in. Neither Reddit user responded to a request for comment.
“I feel Microsoft is trying to cover up and is not taking this seriously.”
In his post on Tweakers, Ritmeester said he didn’t have two-factor authentication enabled on Kraken, which may have kept the hackers out of this cryptocurrency account. If he had it enabled, the hackers may have had to take control of this phone number as well in order to intercept the two-factor authentication tokens, for instance.
A Microsoft spokesperson told Motherboard in an email on Monday that, “Customers who believe they have been impacted beyond what was outlined in the company’s notification should contact the Microsoft support team for assistance.”
Originally, when TechCrunch and other outlets reported the Outlook data breach, Microsoft said it only impacted email metadata and customer information, such as subject lines and the names of other email addresses users communicated with. After Motherboard presented Microsoft with evidence that email content had also been impacted, Microsoft revised its statement, despite already being fully aware that content was exposed; the company had issued breach notification emails to victims saying as much.
“I feel Microsoft is trying to cover up and is not taking this seriously,” Ritmeester said.
Motherboard previously reported that at least some of the Microsoft email access had been used as part of so-called iCloud unlocks, where hackers try to remove a security feature from lost or stolen iPhones so they can resell the devices on the black market.
Ritmeester told Motherboard, “I think Microsoft talks about this way to lightly [sic] about this leak and I think there are a lot of users who have suffered damage in one way or another as there is a lot of sensitive information in an inbox.”
He added, “I am planning to at least file a police report and thinking about holding Microsoft liable for the financial damage and the fact that a lot of my personal information may get leaked in the near future.”
Subscribe to our new cybersecurity podcast, CYBER.