Slashdot Mirror
Microsoft Says Some Webmail Accounts Were Compromised (techcrunch.com)
A "limited" number of users of Microsoft's webmail services -- which include Hotmail, Outlook.com, and MSN -- "had their accounts compromised, TechCrunch reports.
"We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators' access," said a Microsoft spokesperson in an email. According to an email Microsoft has sent out to affected users, malicious hackers were potentially able to access an affected user's e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses the user communicates with -- "but not the content of any e-mails or attachments," nor -- it seems -- login credentials like passwords. Microsoft is still recommending that affected users change their passwords regardless.
The breach occurred between January 1 and March 28, Microsoft's letter to users said. The hackers got into the system by compromising a customer support agent's credentials, according to the letter. Once identified, those credentials were disabled. Microsoft told users that it didn't know what data was viewed by the hackers or why, but cautioned that users might as a result see more phishing or spam emails as a result.
The breach occurred between January 1 and March 28, Microsoft's letter to users said. The hackers got into the system by compromising a customer support agent's credentials, according to the letter. Once identified, those credentials were disabled. Microsoft told users that it didn't know what data was viewed by the hackers or why, but cautioned that users might as a result see more phishing or spam emails as a result.
A bunch of dead and emptied accounts with outdated psswords got compromized. So?
They were perfectly good recipients of spam and forwards from grandma!
Why do these random low-rent people get to look through email addresses, contacts, subjects, and organizational folder hierarchies?
To provide support for people who are not computer-literate anyway, which is why they depend on a hotmail/msn email address, they simply don't know any better. However, it's support - if someone calls the support line, they expect that the person on the other end (the support person) is able to explain to them exactly what they're looking at and exactly why someone thinks their genitals need enlargement.
This is not an email platform for technically competent people. This is a platform for people who might need instructions on how to move a mouse. They need all the handholding they can get, including being explained what they're looking at in their inbox. If the support people cannot explain that, they have failed their users.
Last but not least, these are not "random low-rent people". These are employees hired to do a specific job. You shouldn't walk down the street assuming that 98% of the people that you see are "random low-rent people" and thus less than you.
You can have credential breaching at any level - it happens to competent people all the time. Eventually these systems should all be migrated to some sort of 2-factor, however they were likely developed years ago without something like that in mind (barely anything was before 3-4 years ago - seriously, barely anything) and have enormous costs in adding something like that to the platform. Most competent people use multiple passwords for different sites, at least for the different areas of their lives (never use work passwords for personal, etc). But, when a password gets compromised, the most that does is limit the exposure of that compromise, it does not and cannot prevent it. 2FA is the best weapon we have against credential compromise, and that is not even completely foolproof against an attacker with enough resources and in an adequate targeting position.
Not hired to look at customer emails. Such a job never existed. Private parts are never customer supports concern. Fail
It's just as bad to assume everyone is the same as you.
The bell curve is real; you are asking for trouble by ignoring it.
They all do twice the same one factor. Or even worse: Just the "who you are" factor and some handwaving that they call the second factor.
It should be three properly implemented factors anyway.
One key device that you have, one biometric one that you are, and a password that gets combined with the biometric one to unlock they key device and have it spew out the real, one-time ephemeral key(, based also on the built-in one-time pad if possible).
AND if you want to be serious about it, the password and biometrics should be entered INTO the tamper-"proof" (and Tempest-proof) key device! Not into an untrustworthy device!
FinTS (formerly HBCI), for example, allows that. I've been doing my banking like that for years.
(The device also has a display that shows me the transaction before I press OK.)
Everything else is just security theater, and no more secure than entering only a password into an untrustworthy device.
But hell, we're still blindly trusting some backdoored CPUs and TLS master certificates from random install media when we download browsers, so we can trust the master certificates in there blindly, that tell us we shall trust some random CAs that we never met blindly. So ...
If the credentials have been disabled, how do the users get the email to say that they were affected?
5 is a limited number. So is 100 million. How many, Microsoft?
Sorry, but I don't want my identity being tied to parts of my body. That's creepy and dangerous.
You need to be able to change your authentication.
Microsoft disabled the compromised credentials, which are the credentials of the low-rent employee.
That I see originates from the "freemail" providers (Google, Microsoft) by a wide margin. Very little comes from other compromised accounts. Horseshoe spammers and other nefarious dimwits are easy to detect because they cannot be bothered to be RFC compliant and thus are easy to filter (along with all the other fuckwads that do not know how to properly operate an SMTP server, some of which are very large operations).
This means that things like SPF, DKIM, etc are completely useless since the shit coming from the freemail providers IS SPF compliant and IS DKIM signed.
If Google had support then it would be no different with them. Google side-skirts the issue by not offering any support whatsoever.
... there are likely to be thousands of O365 accounts affected. It is rare that I don't see a half-dozen different organizations represented in "please look at this invoice" or "please review your payment" emails sent to our system accounts, each personalized for the company whose O365 accounts have been hijacked.
If one of our corporate clients had not switched over to O365 for their email services last year, I'd block anything coming from an outlook.com server, because it is rare that it is NOT a phishing email.
... has one of those email addresses. Even if you never use it (I don't, and the email I used to sign up with MS is a forwarding address with a layer of spam filtering before it gets to the real email with more filtering). If you have a MS Account (which you probably do with Windows 10), MS assigns you an outlook.com alias.
Doesn't mean I don't get questionable emails - I get lots of them - but the filters do keep the volume to a dull roar and common sense is easier to apply at low volumes.
Everybody who didn't pay for a Microsoft email account had the entire contents of their mailbox at risk for the past 6 months...
"...the issue is much worse than previously reported, with the hackers able to access email content from a large number of Outlook, MSN, and Hotmail email accounts, according to a source who witnessed the attack in action and described it before Microsoft’s statement, as well as screenshots provided to Motherboard. Microsoft confirmed to Motherboard that hackers gained access to the content of some customers’ emails."
https://motherboard.vice.com/e...
... got into the system by compromising a customer support agent's credentials, according to the letter.
Emphasis mine. So that bloke and everyone else with his access level can read your address book, subject lines, and folder names... by design? WTF, Microsoft?