Hackers Got Outlook.com Emails, Maybe Hotmail, MSN Too

Microsoft has acknowledged a major breach of its Outlook.com email service that left a portion of its user base at risk of having their messages read by hackers. MSN and Hotmail users may be affected, too. Microsoft has not disclosed how many accounts were affected, but an anonymous source told Motherboard that it was "a large number."

Credit: Microsoft

(Image credit: Microsoft)

On Friday (April 12), Microsoft sent notifications to some of its Outlook.com users, informing them that "individuals outside Microsoft" had for a period of nearly three months had the ability to view those users' email addresses, see their subject lines, and determine the names of their folders.

In that earlier notification, according to The Verge, Microsoft didn't make any mention of unauthorized intruders being able to see the contents of email messages. Motherboard on Sunday, however, said that Microsoft issued a separate notification to about 6 percent of its Outlook.com users, telling them that in addition to the information above, hackers might have also seen their actual email contents. Microsoft confirmed that to Motherboard.

MSN and Hotmail accounts were also hacked, according to Motherboard's source, although Microsoft has not confirmed those details. The source said that the attack was part of a scheme to hijack email accounts and associated Apple iCloud accounts in order to disable the Activation Lock feature from stolen iPhones, enabling thieves to wipe and resell the devices.

MORE: What to Do After a Data Breach: A Step-by-Step Guide

According to Microsoft's first notification, one of its support technicians had his or her access credentials stolen by an attacker, allowing the attacker to break into the support interface and access the company's webmail back-end systems. The intrusion lasted from Jan. 1, 2019 to March 28, 2019 before it was discovered and turned off, according to Microsoft.

Motherboard's source, however, said that the intrusion lasted for six months. Microsoft denied that in a statement to The Verge.

"Our notification to the majority of those impacted noted that bad actors would not have had unauthorized access to the content of emails or attachments," a Microsoft spokesperson said in a statement. "A small group (~6 percent of the original, already limited subset of consumers) was notified that the bad actors could have had unauthorized access to the content of their email accounts, and was provided with additional guidance and support."

It is not clear how Motherboard's source knows all this inside information, but the source apparently "witnessed the attack in action," notified Motherboard before Microsoft disclosed the intrusion and provided screenshots as proof.

The attack appears to be confined to Microsoft's webmail accounts, which include Outlook.com, Hotmail and MSN. It does not affect accounts associated with the desktop Outlook Express email client software or enterprise Outlook email servers and clients. Corporate users who use their own domains for Outlook.com email were also unaffected by the hack, it would appear.

Microsoft hasn't said exactly how many users were affected and what the attackers might have done with the data they might have accessed. The company did say, however, that the intrusion has been addressed and users are no longer being targeted.