author photo
By Bruce Sussman
Mon | Apr 15, 2019 | 10:18 AM PDT

The news has gotten worse since Microsoft first announced that a large number of non-corporate Outlook, MSN, and Hotmail accounts were hacked.

Microsoft originally told TechCrunch that hackers managed to access email subject lines and whom email customers were communicating with but not actual email content.

Apparently, this was an insult to hackers who wanted to prove what they had done. And now Microsoft has changed its story.

Motherboard reports:

In its notification email, Microsoft said the hackers couldn’t access email content or attachments, and then in another section, that the company’s “data indicates” email contents could not have been viewed.

Motherboard’s source, however, said that the technique allowed full access to email content. On Sunday the source provided another screenshot of another page of the panel, with the label “Email Body” and the body of an email redacted by the source. They said the Microsoft support account used belonged to a high privileged user, meaning they likely have more access to material than other employees.

When presented with this screenshot, Microsoft confirmed it had also sent breach notification emails to some users that did say the customer’s email content had been impacted.

Privacy and security, how they are linked

This story reminds us, again, that security and privacy are nearly impossible to separate.

During our interview last week at SecureWorld Philadelphia, Dawn-Marie Hutchinson, CISO of Pharmaceuticals and R&D at GlaxoSmithKline, had this to say:

“Privacy doesn’t exist without security. Because we can’t honor that relationship that we’re going to protect the data without security.”

Below: Hutchinson delivering her keynote at SecureWorld. 


[RELATED: Disney kills security and privacy proposal]

In the case of the recent Microsoft related email breach, it sounds like a support employee's compromised credentials provided the way in for  hackers.

Reducing the risk from compromised credentials

Check out our complimentary Security Awareness web conferences, which are available on demand. They provide tools which can help reduce the risk of credential compromise at your organization. 

And you may want to consider other steps to minimize the damage if credentials do get compromised. Says Robert Vamosi of ForgeRock:

"Companies that suffer data breaches due to compromised employee accounts should consider implementing single sign on (SSO) capabilities within their organization, as SSO also allows for improved security, especially when coupled with multi-factor authentication.

SSO prevents unauthorized access by keeping employee credentials in a more secure corporate IT environment, and multi-factor authentication prompts users to verify their identity in case the SSO credentials happened to be compromised.”