Claim website breach much worse than Microsoft admits

On Saturday TechCrunch reported that Microsoft’s web service has been breached for around 3 months, between January and March 2019, after “cybercriminals” managed to acquire the credentials of a customer support rep.

Microsoft said the credentials gave access to the email addresses, subject lines and folder names of a “limited number” of email accounts, but not the actual contents of the email. Enterprise users were unaffected.

Now Motherboard report that the attack was actually much worse than Microsoft admitted, with a source able to offer them evidence such as screenshots which pre-dates Microsoft’s confirmation.

The source confirms that hackers were able to read the contents of emails, saying the access was used as part of a scam to unlock iPhones which had been stolen.

When Microsoft was confronted by the evidence they admitted that hackers had more access than revealed earlier, but said only 6% of the affected had their emails read.

Motherboard’s source also revealed that hackers actually had access to much longer than the 3 months Microsoft admitted to, saying they were able to read emails for at least 6 months.

A Microsoft spokesman earlier said:

“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access.”

With access to our cloud data and PCs in many cases tied to our Microsoft accounts, which are also our email addresses, Microsoft owes it to users to be more clear about the compromise, and also how they will prevent it from recurring in the future.

Do our readers agree? Let us know below.