Microsoft has admitted that it suffered a data breach involving its web-based email services including Outlook.com, MSN.com and Hotmail.com that lasted for three months before it was detected and remediated.
Microsoft has not fully publicly disclosed how many customer accounts were impacted, and the company did not immediately respond to a request for comment from eWEEK on April 15. That said, Microsoft did send out an email late on April 12 to the unknown number of impacted users that was publicly posted on Reddit.
"We have identified that a Microsoft support agent's credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account," the Microsoft notice stated. "Upon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorized access."
Microsoft claims in its advisory that the unauthorized access could have enabled an attacker to access email account information including the subject lines of emails and the names of contacts. The breach, according to Microsoft, lasted from Jan. 1 until March 28.
While breaches of any type and size are always a cause of concern, the method by which Microsoft's email services were breached is particularly troubling. This was not a breach of individual user passwords via some form of credential stuffing attack, where passwords stolen in other breaches were used again to gain access. Neither was it a new zero-day vulnerability in the email platforms that Microsoft provides.
This was a relatively simple attack, with very broad and surprising consequences. By Microsoft's own admission, a single Microsoft support agent's credentials were compromised. There is no official disclosure at this time about how the support agent's credentials were stolen, but there are any number of ways that a single user can have their credentials stolen—that's not the issue.
The issue is that a single set of user credentials enabled an attacker to see information from potentially tens of millions of Microsoft email users. This one single Microsoft support agent had access to the user accounts, representing what in a very real sense is a single point of failure.
It's not clear if the Microsoft support agent had two-factor authentication enabled, which potentially might have made it more difficult for an attacker to gain access to the email system. It's also not clear if Microsoft had some form of user behavior analytics that might have flagged a suspicious access pattern from the support agent. What is clear is that the attacker got access because the single support agent had access.
Microsoft is not alone in enabling its support staff to have seemingly broad access to user information. Amazon has recently been scrutinized for allowing some of its staff access to user information from its Alexa personal assistant service. And Facebook admitted on March 21 that it had left hundreds of millions of user accounts unencrypted in an internal system that was apparently used for auditing purposes. Google routinely had been looking in at some of its Google Cloud Platform (GCP) public cloud user accounts when maintenance was needed as well. In Google's case, however, the company has recently announced an effort to be more transparent and alert users when it wants access.
It makes sense that providers of different cloud-based services might need some degree of access to customer accounts for various maintenance and troubleshooting activities. What doesn't make any sense is that those activities are not properly secured, leaving users exposed to an attack vector that they can't easily defend against.
No doubt more details will emerge in the days and weeks ahead about what exactly happened in the Microsoft email data breach. Whatever the result, companies of all sizes should be concerned. There is tremendous convenience to moving all email services to the cloud, but as this latest breach proves, there are new risks as well.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.