Estimated reading time: 1 minute, 58 seconds

Microsoft Breach Highlights Risks from Customer Support

Saturday, Apr 20 2019
Vulnerabilities
Written by  Security Tech Brief Staff
Microsoft Breach Highlights Risks from Customer Support

Recent revelations of a data breach at Microsoft’s email services, which include MSN.com, Hotmail.com, and Outlook.com, underscore the delicate balance between customer support and cybersecurity.

The breach, which Microsoft confirmed in a series of statements earlier this month, also shows the potential public-relations damage of disclosing only partial information about a security incident. Microsoft sent an email on a Friday night, April 12, alerting users of its email services that a malicious attack had potentially compromised information about their accounts, including their email addresses, folder names, the subject lines of emails, and other email addresses they communicated with.

The breach took place when a “Microsoft support agent’s credentials were compromised,” according to Microsoft’s letter to users. The time period affected was from January 1 and March 28. Although Microsoft said login credentials were not affected, the company recommended users change their passwords. Microsoft confirmed the breach to TechCrunch, acting on a reader tip, the next day (April 13), but the company did not detail how many accounts were affected or in what parts of the world.

In the letter to users, Microsoft said the breach did not expose “the content of any emails or attachments.” One day later (April 14), Microsoft confirmed to Motherboard that the breach had, in fact, allowed access to some customer emails, after the news site presented the company with evidence.

Cyber security pros sees a rising threat from “customer and internal support mechanisms,” reports Wired. While support agents have to be given enough access to do their jobs, if that access is compromised, the Microsoft situation shows what can happen.

“It makes sense that providers of different cloud-based services might need some degree of access to customer accounts for various maintenance and troubleshooting activities," opines eWeek. "What doesn’t make any sense is that those activities are not properly secured, leaving users exposed to an attack vector that they can't easily defend against.”

The company’s response to the incident, Gizmodo notes, “raised serious concerns about Microsoft’s transparency.” The blog observed that a company’s openness with victims of a security breach “can mean the difference between consumers being complete outraged… or grateful that a company took immediate and appropriate action.”

A Microsoft rep told Wired, “We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access.”

Read 3672 times
Rate this item
(0 votes)
More in this category: « Small Businesses Now in Hackers’ Crosshairs: Study Data Breaches Are Hitting More U.S. Consumers: Survey »

Visit other PMG Sites:
PMG360 is committed to protecting the privacy of the personal data we collect from our subscribers/agents/customers/exhibitors and sponsors. On May 25th, the European's GDPR policy will be enforced. Nothing is changing about your current settings or how your information is processed, however, we have made a few changes. We have updated our Privacy Policy and Cookie Policy to make it easier for you to understand what information we collect, how and why we collect it.
Ok Decline