Some users of Microsoft's web-based email services including @msn.com, @hotmail.com, and @outlook.com have had their accounts breached, with the accounts remaining in a compromised state for more than two months.
As TechCrunch and Motherboard report, an email sent out by Microsoft late last week explains that access to its system was gained through compromised Microsoft support agent credentials. Email accounts were then accessed and information including each account's email address, folder names, subject lines, and the other email addresses communicated with could be viewed.
That was the extent of the breach for most compromised accounts, but around six percent of affected users didn't get so lucky. The information accessed in their accounts extended to the body of emails, their date of birth, calendar activity, admin center, and their logon history.
The compromise lasted from Jan 1. to March 28., with Microsoft disabling the compromised credentials as soon as it became aware of the situation. Even though email account login details were not accessed in any way, “out of caution” Microsoft is advising those affected to reset their account password. The same advice will be conveyed to anyone who receives this warning email from Microsoft.
The biggest threat posed to users caught up in this compromise is the threat of phishing attacks and email spam. It's likely the email addresses were taken and sold as a list or added to an existing one of valid email addresses. After that, they are likely to be sent some form of spam, or worse, have compromised files attached to an email that allows for a PC infection or ransomware to take control if opened.
As ever, ensure you are running a good security suite to protect yourself against infection, protect your identity online, and use common sense when reviewing emails, especially if they have attachments you don't recognize or expect.