Over the weekend, Microsoft confirmed that a certain limited number of people that use Outlook, Hotmail and MSN email systems had their accounts compromised. Hackers were able to access users’ email addresses, folder names and the subject lines of emails but not the content of any emails or attachments, or any login credentials and passwords either. The breach occurred between January 1 and March 28 and the hackers were able to get into Microsoft’s system by compromising a customer support agent’s credentials.
Some users of Microsoft's Hotmail, Outlook and MSN services were left exposed due to a data breach after hackers broke into a customer service account. https://t.co/gpzoyCqyoE
— PCM Systems Ltd (@pcmsystemsltd) April 15, 2019
And the solution is to move to more secure email provider that can guarantee privacy.
This is one of the reasons I am considering moving everything to a service like @ProtonMail. https://t.co/qYhdRhMmiM
— Daniel Montecillo (@leggendario12) April 13, 2019
Experts Comments:
Robert Vamosi, Senior Product Marketing Manager at ForgeRock:
Companies that suffer data breaches due to compromised employee accounts should consider implementing single sign on (SSO) capabilities within their organization, as SSO also allows for improved security, especially when coupled with multi-factor authentication. SSO prevents unauthorized access by keeping employee credentials in a more secure corporate IT environment, and multi-factor authentication prompts users to verify their identity in case the SSO credentials happened to be compromised.”
Lamar Bailey, Director of Security Research and Development at Tripwire:
“These kinds of breaches are particularly worrying for those affected, because they provide cybercriminals with potentially sensitive personal information that can be used for attacks of against private individuals and enterprises. Although password do not appear to have been compromised, items seemingly trivial such as the subject lines of emails in one’s inbox and email content can be exploited to devise a sophisticated socially engineered phishing campaign.
Users whose emails were compromised should change their passwords – which in the aftermath of a breach is always a good step, no matter which and how much information was compromised – and enable two-factor authentication wherever possible. Cyber hygiene best practices should also be the priority of those compromised: applying security patches, keeping software up to date and looking out for potentially malicious emails can help them prevent falling victim of further attacks.”
Ilia Kolochenko, Founder and CEO at ImmuniWeb:
It is too early to attribute the attack due to lack of the information available. It can well be a group of beginners who publicly sell email hacking services, as well as a nation-state hacking group targeting political activists or western companies. As a precaution, all Outlook users should change their passwords and secret questions, as well as passwords for any other accounts that sent, or could have sent, a password recovery link to their Outlook email.”
Dan Pitman, Principal Security Architect at Alert Logic:
We don’t know how Microsoft’s systems work but uncertainty about the activities during a breach is much more common that it should be; often log data is not kept for significant periods or logging is reduced to save resources, monitoring of activity of “back office” users is not always perceived as important as end-user accesses.
Users should be conscious of what information they store in accounts that is not required for it to operate – those people who have telephone numbers and physical addresses and receive banking or other account notifications into their Outlook accounts should have a heightened awareness. Without access to the emails the attacker’s ability to action resets is reduced but verify transactions and look out for unexpected communications and notifications from other organisations, be sure to have banking mobile notifications turned on where possible and always enable 2 factor authentication for important systems.”
Martin Jartelius, CSO at Outpost24
With this in mind, it is important to review your emails in the current period, especially those contain sensitive information that could compromise your security and business confidentiality. For example this could be tender submissions, mergers and acquisitions and other internal information that could cause harm externally. If such information is leaked, ensure you establish a crisis plan for damage control arising from its disclosure.
A general advice regardless if you were affected or not is to enable two factor authentication wherever possible, which ensures that access to your email do not constitute the potential access to other systems as well.”
Javvad Malik, Security Advocate at AT&T Cybersecurity:
Details on what was accessed and how users are impacted are low, but as a precaution, users should change their passwords. The other actions will depend upon the nature of businesses. While the actual content of the emails weren’t disclosed, simply knowing the folder structure, the email headers, and times of emails can be quite telling – for example – it could indicate companies are planning a merger, or annual accounts are not promising. Or learn about company partners and use the information to launch phishing or business email compromise (BEC) attacks”
Felix Rosbach, Product Manager at comforte AG:
One important question here is: What did Microsoft do to monitor user behaviour?
You can get a very detailed picture of what hackers had access to and what data and accounts were compromised if you pseudonymize personally identifiable information. When hackers get access to pseudonymized data sets, these data sets are useless to them. If they want to see it in the clear, they have to request that on a case by case basis, which wouldn’t harm a support-employee as they usually don’t request a massive amount of data sets at once. These requests are easy to manage and to monitor – and therefore give you not only control but also a very detailed breach history.
Users can’t do much about it. Not sharing your data is not possible these days, if you want to use these services. You can never be sure that the service of your choice won’t be hacked – there is no 100% security, there is no silver bullet. With insider attacks, an increasing attack surface and more and more vulnerabilities, the question is not if a breach will happen – but when.
Of course, you could set up your own mail server – but are you sure you can do a better job than Microsoft in terms of cybersecurity? If so, go for it.”
Anjola Adeniyi, Technical Leader at Securonix:
A big part of this mess, is the inconsistency around what the hackers would have had access to. Did they have access to the content of emails or not? This isn’t quite clear at the moment, as Microsoft says one thing, and only to retract it to say they had access to some email content. Hopefully the affected users can get some clarity on this, and take any necessary steps in securing their organisations.”
Martin Jartelius, CSO at Outpost24:
With this in mind, it is important to review your emails in the current period, especially those containing sensitive information that could compromise your security and business confidentiality. For example, this could be tender submissions, mergers and acquisitions and other internal information that could cause harm externally. If such information is leaked, ensure you establish a crisis plan for damage control arising from its disclosure.
General advice, regardless of whether you were affected or not, is to enable two factor authentication wherever possible, which ensures that access to your email does not constitute the potential access to other systems as well.”
Brian Higgins, Security Specialist at Comparitech.com:
What worries me most is that Microsoft, on the one hand, say, “We consistently monitor our networks looking for any irregularities on the network” yet admit that “the attackers may have had access to Microsoft systems for a considerable period of time — something under three months.” As a customer, that doesn’t fill me with confidence in their intrusion monitoring capabilities and makes me wonder who else is casually sitting on their network waiting to strike!
Whilst the stolen source code is probably being traded around on the Dark Web, from a consumer’s perspective the largest threat appears to be from ‘yet to be launched’ products and services. However, since most tech firms subscribe to the ‘launch it first and patch it later’ business model, any affected products will most likely already be vulnerable somehow anyway. The best thing any individual can do to protect themselves is to make sure they install patches and software updates as soon as they become available. It has long been known that the ‘golden hour’ between a vulnerability’s discovery and the launch of the subsequent solution is where hackers cause most harm. My advice in any instance is to lay off the ‘Remind me later’ button and UPDATE NOW!”