Hackers could read Outlook.com non-business, Hotmail for six months

Late Friday, some Outlook.com/Hotmail/MSN Mail users received an email from Microsoft stating that an unauthorized third party had got limited access to their accounts and was able to read, among other things , the subject lines of e-mails (but not their bodies, attachments, or account passwords) between January 1 and March 28 of this year. Microsoft confirmed it at TechCrunch on Saturday.

The pirates, however, dispute this characterization. They told the motherboard that they could actually access the content of the emails and showed that the screenshots of the publication proved their purpose. They also claim that the hacking lasted at least six months, which doubles the period of vulnerability claimed by Microsoft. After this reaction, Microsoft responded that about 6% of the customers affected by the hacking had had unauthorized access to their emails and that these customers had received different offense notifications to make it clear. However, the company continues to claim that the hacking lasted only three months.

The general character of the attack is not disputed. Microsoft's hackers and breach notifications indicate that access to accounts receivable is done by compromising the credentials of a support agent. With this credentials, hackers could use Microsoft's internal customer support portal, which provides support agents with some level of access to Outlook.com accounts. Hackers assumed on the motherboard that the compromised account belonged to a highly privileged user, which might have allowed them to read the body of mail. The compromised account was subsequently locked to prevent further abuse.

The support account would also only have access to free, free Outlook.com/Hotmail/MSN- accounts, not the paid Office 365 email.

The source of the motherboard also gave a reason for hacking in the first place. IPhones are associated with iCloud accounts, and this association prevents them from performing a factory reset. This in turn means that stolen iPhones are losing value; they can still be recovered for parts, but they can not be resold as fully functioning handsets because they are still tied to their original owner. However, with access to the email account of the iPhone user, it is possible to unlink the phone from the iCloud account, and then reset the handset. In other words, hackers do not care much about email accounts in itself; they just want to get their hands on these important reset request emails so they can increase the value of their stolen phones.