Microsoft confirms managed email data breach

Microsoft has begun warning users of its webmail services, including Hotmail and Outlook.com, that a breach between January 1st and March 28th gave attackers unknown access to email addresses, folder names, subject lines, and contact lists - but, it claims, not email content, attachments, nor authentication credentials.

Microsoft's message to users of its managed email services confirms earlier reports that its servers had been breached by unknown attackers, though the mechanism at least is clear: The capturing of login credentials belonging to an unnamed support agent at the company, which apparently gave those who obtained it extensive access for a period of three months following the theft of the credentials on January 1st.

'We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account,' Microsoft's email to its users reads. 'This unauthorised access could have allowed unauthorised parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments, between January 1st2019 and March 28th 2019.

'Upon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorised access. Our data indicates that account-related information (but not the content of any e-mails) could have been viewed, but Microsoft has no indication why that information was viewed or how it may have been used. As a result, you may receive phishing emails or other spam mails. You should be careful when receiving any e-mails from any misleading domain name, any e-mail that requests personal information or payment, or any unsolicited request from an untrusted source.'

While the breach is severe, Microsoft claims that the most sensitive of personal data - passwords and the contents of emails, as well as any files attached to said emails - were not accessible using the stolen credentials. It is, however, recommending users to reset their passwords just in case.

UPDATE 1550:

Microsoft has admitted that while the vast majority of accounts affected by the breach could not have their email content read, a small number stated to be around six percent allowed complete access to all message content during the three-month period of the breach, in a statement to Vice Motherboard - an admission which does not appear to have been reflected in the company's official communication of the issue to the general public or press.