Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Microsoft’s Cloud Email Breach Is a Cause for Concern

    By
    SEAN MICHAEL KERNER
    -
    April 15, 2019
    Share
    Facebook
    Twitter
    Linkedin
      cloud-based security

      Microsoft has admitted that it suffered a data breach involving its web-based email services including Outlook.com, MSN.com and Hotmail.com that lasted for three months before it was detected and remediated. 

      Microsoft has not fully publicly disclosed how many customer accounts were impacted, and the company did not immediately respond to a request for comment from eWEEK on April 15. That said, Microsoft did send out an email late on April 12 to the unknown number of impacted users that was publicly posted on Reddit.

      “We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account,” the Microsoft notice stated. “Upon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorized access.”

      Microsoft claims in its advisory that the unauthorized access could have enabled an attacker to access email account information including the subject lines of emails and the names of contacts. The breach, according to Microsoft, lasted from Jan. 1 until March 28.

      According to Microsoft, user email login credentials were not directly impacted by the incident, though out of an abundance of caution it is still suggesting that users reset their email passwords.

      Analysis

      While breaches of any type and size are always a cause of concern, the method by which Microsoft’s email services were breached is particularly troubling. This was not a breach of individual user passwords via some form of credential stuffing attack, where passwords stolen in other breaches were used again to gain access. Neither was it a new zero-day vulnerability in the email platforms that Microsoft provides.

      This was a relatively simple attack, with very broad and surprising consequences. By Microsoft’s own admission, a single Microsoft support agent’s credentials were compromised. There is no official disclosure at this time about how the support agent’s credentials were stolen, but there are any number of ways that a single user can have their credentials stolen—that’s not the issue.

      The issue is that a single set of user credentials enabled an attacker to see information from potentially tens of millions of Microsoft email users. This one single Microsoft support agent had access to the user accounts, representing what in a very real sense is a single point of failure.

      It’s not clear if the Microsoft support agent had two-factor authentication enabled, which potentially might have made it more difficult for an attacker to gain access to the email system. It’s also not clear if Microsoft had some form of user behavior analytics that might have flagged a suspicious access pattern from the support agent. What is clear is that the attacker got access because the single support agent had access.

      Microsoft is not alone in enabling its support staff to have seemingly broad access to user information. Amazon has recently been scrutinized for allowing some of its staff access to user information from its Alexa personal assistant service. And Facebook admitted on March 21 that it had left hundreds of millions of user accounts unencrypted in an internal system that was apparently used for auditing purposes. Google routinely had been looking in at some of its Google Cloud Platform (GCP) public cloud user accounts when maintenance was needed as well. In Google’s case, however, the company has recently announced an effort to be more transparent and alert users when it wants access.

      It makes sense that providers of different cloud-based services might need some degree of access to customer accounts for various maintenance and troubleshooting activities. What doesn’t make any sense is that those activities are not properly secured, leaving users exposed to an attack vector that they can’t easily defend against.

      No doubt more details will emerge in the days and weeks ahead about what exactly happened in the Microsoft email data breach. Whatever the result, companies of all sizes should be concerned. There is tremendous convenience to moving all email services to the cloud, but as this latest breach proves, there are new risks as well.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×