On Friday night, Microsoft sent notification emails to an unknown number of individual email users-across Outlook, MSN, and Hotmail-warning them about a data violation. Between January 1 and March 28 this year, hackers used a range of stolen credentials for Microsoft's customer support platform to access account data such as email addresses in messages, message subject lines, and folder names within the accounts. By Sunday, it recognizes that the problem is worse.
After the tech news site Motherboard showed Microsoft evidence from a source that the incidence of the incident was broader, the company changed its initial statement, saying that instead of for 6 percent of users who received a notification, hackers can also access the text of their messages and any attachments. Microsoft previously rejected TechCrunch that full email messages were affected.
"In general, & # 39; support & # 39; is a huge security hole waiting to happen."
Dave Aitel, Cyxtera
customer support credentials can be keys to such a huge kingdom. But within the security community, customer mechanisms and internal support are increasingly seen as a potential exposure source. On the one hand, support agents need enough account or device access to help people. But as the Microsoft incident shows, excessive access to the wrong hands can cascade in a dangerous situation.
"We've responded to this method, affected by a limited subset of consumer accounts, by disabling compromised credentials and blocking access perpetrators," Microsoft spokeswoman WIRED . The company says "from an abundance of precautions" it has increased threat tracking for accounts affected by the violation. Microsoft will not comment on WIRED on the scale of the attack or provide the total number of affected accounts.
Without further information from Microsoft, it is difficult to introduce the purpose of the attack. Email accounts can be very important to criminals; people often use them to set up other accounts, meaning attackers can use their own email account to reset passwords and compromise multiple services. The motherboard reports that the attackers did, in fact, use their access to the iCloud account break to disable the iPhone lock of activation. But with almost three months of access to their disposal, it is still unclear if the attackers are focused on small, proportionate intrusions.
"We have identified the credentials of a Microsoft support agent to be compromised, enabling individuals outside Microsoft to access information within your Microsoft email account," Microsoft said in a statement , indicating that the attack was not a result of the insider's threat. But those questions are increasing. "Sometimes the problem is really difficult to diagnose on the phone by just explaining, so you want a high-privileged user to overlook the account," says Jeremiah Grossman, who worked as an information security official on Yahoo for two years in early 2000 and is now CEO of the company's security firm Bit Discovery inventory. "But this customer support system is not to be accessed far from the Internet, it should be an internal system system. So how exactly does the enemy connect [the Microsoft portal] log in? "
also, Microsoft has a need for customer support accounts with extensive access to use two-factor or multifactor authentication, which may have helped prevent this issue in the first place. Unfortunately, Microsoft seems to be no exception.
"We have a lot of consulting where we go to any machine at a company, call the support desk, and then get credentials of support engineers when they connect to the machine and use them to access other server-like CEO servers, "said Dave Aitel, chief security technology officer at Cyxtera's secure infrastructure firm. "In general, & # 39; support & # 39; is a huge security hole waiting to happen."
The key to maintaining a customer support system, says Grossman, has created controls over how many people have the privilege of account access, and carefully record all the instances where a user account is accessed for auditing. Engineering teams use systems like this for situations where credentials need to be carefully monitored, such as debugging, or fulfilling law enforcement data requests.
If you receive a notification email from Microsoft, you should change your password to the email account and enable the two -Factor authentication if it is not already. But it's hard for users to protect themselves when they're in a pity of customer support security they can not control. At least Microsoft can offer a clear picture of what happened-and why.
More Great WIRED Stories