Various technology media are reporting that Microsoft’s webmail breach, disclosed earlier this year, was more serious for some users than others.
The software giant has confirmed a report by Motherboard that hackers were able to access at least a portion of email content, not just the addresses and subject lines. Over the weekend Microsoft reportedly began notifying some consumers who use Outlook that a hacker was able to access accounts for months before being discovered and blocked.
The notification said the intruders might have been able to see email addresses, folder names, and subject lines of emails. Later, the company told affected users hackers might have been able to read the contents of their email. Microsoft is recommending that affected users change their passwords.
The hackers reportedly got into Microsoft’s system by compromising a customer support agent’s credentials. Andy Smith, vice president of product marketing at Centrify, says weak or compromised credentials have served as hackers’ preferred burglary tools.
Privileged credential abuse
“A recent Centrify study found that privileged credential abuse is involved in almost three out of every four breaches,” Smith said in an email to ConsumerAffairs. “Privileged account access provides cyber adversaries with the ‘keys to the kingdom’ and a perfect camouflage for their data exfiltration efforts.”
Hijacking legitimate credentials provides a perfect cover. According to FireEye’s annual M-Trends report, the median time that attackers remain undiscovered in a compromised network is 101 days.
“Organizations have to assume that bad actors are in their networks already, which is why the recent groundswell around Zero Trust (ZT) is gaining momentum,” Smith said.
ZT is an IT architecture that discards the notion of a trusted network. It requires that enterprises operating computer networks create multiple perimeters of control around their protected data. It makes it significantly more difficult for a hacker to penetrate the system.
“Simple static passwords are not enough, especially for sensitive company data,” Smith said.
“With static passwords, how are you supposed to know if the user accessing data is the valid user or just someone who bought a compromised password from the 21 million that were revealed in the Collections #1 breach? You cannot. You can’t trust a static password anymore.”
There are no firm numbers of affected users in the expanded Microsoft breach. Microsoft has said only that there were a limited number of affected accounts. The combined users of Hotmail, MSN, and Outlook number in the hundreds of millions.