Microsoft has confirmed to several media outlets (including TechCrunch and The Verge) that its Outlook.com service has been hacked, and malicious individuals were able to access accounts information for weeks in early 2019, using a Microsoft support agent’s stolen credentials.
It’s unclear the exact number of accounts that have been compromised, but the company says that only “a limited subset of consumer accounts” were affected. Also, during the weekend of April 12, according to an email notification sent to affected users, hackers could have potentially been able to access email addresses, subject lines, folder names, and names of the email addresses.
Although hackers didn’t have access to the contents of emails or attachments, nor sign-in credentials, Microsoft is strongly recommending notified users to change their passwords.
According to the report from TechCrunch, the security breach occurred between January 1 and March 28, 2019, as a Microsoft spokesperson has already confirmed that the breach has been “addressed,” and the majority of the affected users have been notified. However, as a result of then breach, users may see more spam or phishing emails.
While the breach appears to have occurred during the first months of 2019, Motherboard claims that malicious individuals may have been accessing Outlook.com accounts for up to six months and use the service to reset iCloud account associated with stolen iPhone devices.
TechCrunch also reports that no enterprise data was compromised by the latest Outlook.com hack. However, there are a lot of questions that remain unanswered, such as the exact number of affected accounts, the accounts were targeted by hackers and from which regions, how the breach was detected, and many more.