Last Friday, Outlook users started receiving breach notification emails from Microsoft which, in addition to telling them that an unknown attacker has accessed some of the information in their inbox, informed them that the Redmond-based giant is ‘committed to providing our customers with transparency’. If you’ve been reading about data breaches for long enough, you’ve probably grown tired of this sort of boilerplate statements, not least because often, they turn out to be void of any true value or credibility. But what about Microsoft? Is it really trying to be as transparent as possible? Let’s take a look at what happened and find out.
Hackers had unauthorized access to Outlook emails
According to the email, between January 1 and March 28, “individuals outside Microsoft” managed to infiltrate users’ Outlook accounts and got access to details like the victim’s own email address, the email addresses they’ve been communicating with, folder names, and subject lines. The attack was made possible after a set of login credentials that originally belonged to a Microsoft support agent fell into the wrong hands. As soon as they learned about it, Bill Gates’ security experts invalidated the stolen credentials and stopped the attack.
According to the notifications people shared on social media, the attackers had no access to any email messages or attachments. Although victims’ Microsoft login credentials remained intact, affected users were asked to change their passwords, just in case.
Microsoft warned users that they might see an uptick in the phishing and spam emails, but they failed to say how they detected the unauthorized access and why it took them close to three months to do so. No information was given on the number of people that were affected, either. The “we value transparency” argument is looking a bit shaky at the moment, and things don’t get much better when you see how the events unfolded over the weekend.
Microsoft remains tight-lipped on the details
Outlook is the spiritual successor of Hotmail – one of the oldest email providers in the world. It has hundreds of millions of active accounts, and the news that some of them have been breached was never going to go unnoticed. On Saturday, TechCrunch covered the story and asked Microsoft for further comment. Unfortunately, details remained thin on the ground once again. Other than saying that “a limited” number of people have been affected and that none of them are enterprise customers, Microsoft disclosed no further information.
While the silicon valley colossus was trying to convince everybody that it’s not as bad as it seems, Motherboard’s Joseph Cox was preparing a report which he published on Monday. Apparently, a source close to the perpetrators got in touch with him and gave him information that painted a somewhat different picture. For example, he was told that the hackers had access to the accounts for six rather than three months and that during the attack, they broke into some iCloud accounts and fiddled with victims’ security settings. Joseph Cox’s source also revealed that contrary to the claims in the notification, the hackers actually had access to at least some of the targets’ email messages and attachments.
Naturally enough, Microsoft’s PR people were asked for comment yet again, and they remained firm that the attack didn’t last for more than three months. When presented with the evidence, however, they did admit that the email communication of about 6% of the victims had been exposed. Once again, the exact number of affected individuals remained unknown.
Whether this fits the definition of “transparency” is for you to decide. In the meantime, here are some things you should probably consider if you are an Outlook user.
Things Outlook users should know
As Microsoft stated in their notification, at the moment, there is nothing to suggest that people’s Outlook usernames and passwords were compromised. Nevertheless, you might want to think about changing your password, especially if you’re one of the people that were affected by the attack.
Needless to say, the new password you assign to your Microsoft account must be both complex and unique, and enabling two-factor authentication or two-step verification, as Microsoft calls it, is also a good idea. To do that, log in to your Microsoft account, go to the “Security” tab, and click “more security options“. Click “Set up two-step verification” and follow the steps.
If you really want to make hackers’ lives harder, you can create a new alias and use it instead of your real email to log in to your account. Go to the “Your info” tab, click “Manage how you sign in to Microsoft“, and select “Add email“. This lets you create a new @outlook.com email address which will not be known to the hackers. Select an address that hasn’t been taken already and click “Add alias“. Now, click “Make primary” to effectively turn your new alias into the username for your Microsoft account. Finally, go to “Change sign-in preferences” and uncheck the box next to your old email address.
With that, you will be able to send and receive emails using the address everybody knows, but neither you nor anyone else will be able to use it to log in to your Microsoft account. This may seem like too much hard work, and indeed, for many users, it could be overkill. Nevertheless, it’s good to know that Microsoft allows it.
Unfortunately, the new Outlook breach shows that even the most robust security mechanism is no match for a support agent who loses track of his password. Here’s hoping that we won’t need to discuss Microsoft’s understanding of “transparency” ever again.
The post Steps Every Outlook User Must Take in the Wake of a Major Security Breach appeared first on Cyclonis.