Outlook.com breach allowed hackers to read (some) emails for months

Image credit: Microsoft

There’s some bad news for Outlook.com users, as it's emerged that the webmail service has been compromised and some folks have had their accounts hacked, with the perpetrators even able to read emails in a limited number of cases – despite Microsoft’s initial denial that email content was viewable.

Details of the security breach were revealed when TechCrunch ran a report claiming that some Outlook.com accounts – and those with Hotmail email addresses (the old name for Outlook.com) or MSN.com users – had been compromised.

Apparently the hackers managed to get hold of a customer support tech’s login credentials, which they used to access the various consumer user accounts (paid business accounts weren’t affected).

Microsoft clarified that this “affected a limited subset of consumer accounts” and that the malicious activity began at the start of January 2019 and ran through to almost the end of March, so essentially lasted three months.

However, Microsoft said the hackers could only see the user’s email address, folders, and subject lines of messages (as well as addresses the user has emailed), but that they couldn’t actually read the contents of an email, or view attachments (or indeed gain access to the login credentials of the account).

The worry was that even limited information like email subject lines could enable malicious parties to concoct a more convincing phishing scam to aim at the user whose email they have (and they could also employ extra details like the names of friends, gleaned from the email addresses the user has contacted).

Emails have been read

However, it then emerged that matters were worse than Microsoft first admitted:  Motherboard spoke to a source who claimed that a ‘large number’ of accounts were affected, and what’s more, in some cases, contents of emails were read by the hackers – and Microsoft subsequently confirmed the latter was true.

Specifically, Microsoft admitted it had sent notifications of a security breach to some users which informed them that their email content had (potentially) been read, but that this only applied to a small amount of the affected users, around 6%.

We don’t know how many accounts that is, because Microsoft didn’t provide an estimate of the overall number of users who were hit by this hack.

Motherboard’s source further claimed that the hackers actually had access to emails for around six months prior to March, but Microsoft firmly denies that.

Despite the perpetrators not gaining access to account passwords, Microsoft is still recommending that if you’ve been affected, you should change your password just as a precautionary measure. Of course, if you have been affected then you should have had an email informing you of this by now.

It’s also worth underlining that it could be a good idea to keep an eye out for potential scam or phishing emails, because as we’ve already mentioned, the data gleaned from your email account – even things as simple as subject lines – could well be used to fashion a much more convincing attack to attempt to deliver malware onto your PC.

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).