Hackers could read non-corporate Outlook.com, Hotmail 4 six monthsArs Technica #Outlook_ComApril 22, 2019
Now if they could just reply to my emails for me… — Late on Friday, some users of Outlook.com/Hotmail/MSN Mail received an email from Microsoft stating that an unauthorized third party had gained limited access to their accounts and was able to read, among other things, the subject lines of emails (but not their bodies or attachments, nor their account passwords), between January 1 and March 28 of this year.
Microsoft confirmed this to TechCrunch on Saturday.
The hackers, however, dispute this characterization.
They told Motherboard that they can indeed access email contents and have shown that publication screenshots to prove their point.
They also claim that the hack lasted at least six months, doubling the period of vulnerability that Microsoft has claimed.
However, the company is still sticking to its claim that the hack only lasted three months.
Not in dispute is the broad character of the attack.
Both hackers and Microsoft’s breach notifications say that access to customer accounts came through compromise of a support agent’s credentials.
The support account would also have only had access to free Outlook.com/Hotmail/MSN-branded accounts and not to paid Office 365 email.
However, with access to the iPhone user’s email account, it’s possible to dissociate the phone from the iCloud account and subsequently to reset the handset.