- A "limited subset" of Microsoft-owned email accounts, through services like Outlook, MSN and Hotmail, were hacked, Microsoft disclosed to TechCrunch on Saturday.
- Microsoft notified impacted users Friday night, saying intruders may have accessed their email addresses, folder names, email subject lines, and email addresses users communicate with. The content of emails or the login credentials for the accounts were compromised for about 6% of impacted users on the company's support portal, reports Motherboard.
- The breach was active from Jan. 1 to March 28, according to Microsoft. Bad actors used a customer support agent's credentials to gain access. According to TechCrunch, unsure of the scope of the data viewed by hackers, Microsoft told impacted users, "you should be careful when receiving any e-mails from any misleading domain name, any e-mail that requests personal information or payment, or any unsolicited request from an untrusted source."
Microsoft doesn't yet know what the hackers have done with the information, if anything. Warning users to be cautious of email phishing schemes is not a sufficient defense for customers. Though it's a low percentage of accounts that had email content compromised, it's possible some of them could be business-related, as opposed to purely personal.
International and state regulations are cropping up to hold companies accountable for personal data and what they do to protect customers after a breach. Yahoo's first breach settlement was rejected in part because "while providing relief is appropriate, it must be done correctly."
If individuals are phished despite Microsoft's warnings, it opens a larger question around how long a company will aid impacted individuals. Microsoft has a tool, the Sphere, that simulates ransomware and phishing attacks to improve training. That is more of an enterprise tool than a resource to protect personal email accounts.
Regulators and law enforcement are taking the sides of breach victims, or the trusting consumers that use a good or service. Breaches are becoming less of a security issue and more of a privacy concept, which implies that the resolution of a breach lives on much longer than after a patch is applied to a bug.