Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Microsoft’s Cloud Email Breach Is a Cause for Concern

    By
    Sean Michael Kerner
    -
    April 15, 2019
    Share
    Facebook
    Twitter
    Linkedin
      cloud-based security

      Microsoft has admitted that it suffered a data breach involving its web-based email services including Outlook.com, MSN.com and Hotmail.com that lasted for three months before it was detected and remediated. 

      Microsoft has not fully publicly disclosed how many customer accounts were impacted, and the company did not immediately respond to a request for comment from eWEEK on April 15. That said, Microsoft did send out an email late on April 12 to the unknown number of impacted users that was publicly posted on Reddit.

      “We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account,” the Microsoft notice stated. “Upon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorized access.”

      Microsoft claims in its advisory that the unauthorized access could have enabled an attacker to access email account information including the subject lines of emails and the names of contacts. The breach, according to Microsoft, lasted from Jan. 1 until March 28.

      According to Microsoft, user email login credentials were not directly impacted by the incident, though out of an abundance of caution it is still suggesting that users reset their email passwords.

      Analysis

      While breaches of any type and size are always a cause of concern, the method by which Microsoft’s email services were breached is particularly troubling. This was not a breach of individual user passwords via some form of credential stuffing attack, where passwords stolen in other breaches were used again to gain access. Neither was it a new zero-day vulnerability in the email platforms that Microsoft provides.

      This was a relatively simple attack, with very broad and surprising consequences. By Microsoft’s own admission, a single Microsoft support agent’s credentials were compromised. There is no official disclosure at this time about how the support agent’s credentials were stolen, but there are any number of ways that a single user can have their credentials stolen—that’s not the issue.

      The issue is that a single set of user credentials enabled an attacker to see information from potentially tens of millions of Microsoft email users. This one single Microsoft support agent had access to the user accounts, representing what in a very real sense is a single point of failure.

      It’s not clear if the Microsoft support agent had two-factor authentication enabled, which potentially might have made it more difficult for an attacker to gain access to the email system. It’s also not clear if Microsoft had some form of user behavior analytics that might have flagged a suspicious access pattern from the support agent. What is clear is that the attacker got access because the single support agent had access.

      Microsoft is not alone in enabling its support staff to have seemingly broad access to user information. Amazon has recently been scrutinized for allowing some of its staff access to user information from its Alexa personal assistant service. And Facebook admitted on March 21 that it had left hundreds of millions of user accounts unencrypted in an internal system that was apparently used for auditing purposes. Google routinely had been looking in at some of its Google Cloud Platform (GCP) public cloud user accounts when maintenance was needed as well. In Google’s case, however, the company has recently announced an effort to be more transparent and alert users when it wants access.

      It makes sense that providers of different cloud-based services might need some degree of access to customer accounts for various maintenance and troubleshooting activities. What doesn’t make any sense is that those activities are not properly secured, leaving users exposed to an attack vector that they can’t easily defend against.

      No doubt more details will emerge in the days and weeks ahead about what exactly happened in the Microsoft email data breach. Whatever the result, companies of all sizes should be concerned. There is tremendous convenience to moving all email services to the cloud, but as this latest breach proves, there are new risks as well.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×