On Saturday, Microsoft confirmed to TechCrunch that some users of the company’s email service had been targeted by hackers. A hacker or group of hackers had first broken into a customer support account for Microsoft, and then used that to gain access to information related to customers’ email accounts such as the subject lines of their emails and who they’ve communicated with.
But the issue is much worse than previously reported, with the hackers able to access email content from a large number of Outlook, MSN, and Hotmail email accounts, according to a source who witnessed the attack in action and described it before Microsoft’s statement, as well as screenshots provided to Motherboard. Microsoft confirmed to Motherboard that hackers gained access to the content of some customers’ emails.
In March, before Microsoft publicly confirmed the hack, the source told Motherboard that this abuse of a customer support portal allowed the hackers to gain access to any email account as long as it wasn’t a corporate level account. This means that while paid, enterprise accounts that businesses pay for weren’t affected, normal consumer accounts were. The source described the attack, including how it relied on abuse of Microsoft’s customer support tool. On Sunday, the source reiterated those details, and provided further information and screenshots of what kind of access the hackers had to Motherboard.
“We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account,” an email from Microsoft to a victim, and posted to Reddit on Saturday, reads.
Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on firstname.lastname@example.org, or email email@example.com.
The email adds that the hackers could have accessed email folder names, the subject lines of emails, and the names of other email addresses the user communicated with. Some of the screenshots provided to Motherboard related to the attack show a panel with a list of account information that the hacker could access, including the customer’s calendar and birth date. The top of the panel has different sections such as “Profile,” “Mailbox Folder Stats,” “Admin Center,” and “Logon History.”
In its notification email, Microsoft said the hackers couldn’t access email content or attachments, and then in another section, that the company’s “data indicates” email contents could not have been viewed.
Motherboard’s source, however, said that the technique allowed full access to email content. On Sunday the source provided another screenshot of another page of the panel, with the label “Email Body” and the body of an email redacted by the source. They said the Microsoft support account used belonged to a high privileged user, meaning they likely have more access to material than other employees.
When presented with this screenshot, Microsoft confirmed it had also sent breach notification emails to some users that did say the customer’s email content had been impacted. Microsoft said that applied to around 6 percent of a small number of impacted customers, although the company didn’t specify how many in total.
“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access,” a Microsoft spokesperson told Motherboard in a statement.
Microsoft, like many other tech giants, does have the ability to scan or read user’s messages. In 2014, Microsoft looked into the email account of a French blogger to identify a Windows 8 leaker.
In its breach notification email, Microsoft said it immediately disabled the compromised customer support account once the company discovered the issue. The source said Microsoft noticed the attack at the end of March, and that hackers had access for at least six months. Microsoft pushed back against this, and pointed to its notification email which gave a timeframe between January 1st and March 28th.
The source said this access had been used as part of so-called iCloud unlocks, where hackers will compromise a target’s email or iCloud account in order to remove Activation Lock from their iPhone. This is an Apple security feature that stops thieves from factory resetting stolen devices and selling them on.
Update: This piece has been updated to include additional comment from Microsoft with the company pushing back against the claim of the issue being abused for at least six months.
Subscribe to our new cybersecurity podcast, CYBER.