MICROSOFT EMAIL HACK SHOWS THE LURKING DANGER OF CUSTOMER SUPPORT

ON FRIDAY NIGHT, Microsoft sent notification emails to an unknown number of its male or female email users across Outlook, MSN, and Hotmail—warning them about a data breach. Between January 1 and March 28 of this 12 months, hackers used a set of stolen credentials for a Microsoft customer service platform to access account information like email addresses in messages, message difficulty lines, and folder names. By Sunday, it was mentioned that the problem had changed into, honestly, much worse.

After the tech information web page, Motherboard confirmed Microsoft’s proof from a source that the scope of the incident was larger, the organization revised its preliminary announcement, pronouncing that for about 6 percent of customers who received a notification, hackers can also get access to the content in their messages and any attachments. Microsoft had previously denied to TechCrunch that complete email messages were affected.

It might also appear abnormal that an available set of customer support credentials might be the keys to this sort of big kingdom. But within the security community, purchasers and internal support mechanisms are increasingly seen as a capability source of publicity. On the only hand, support marketers want sufficient account or tool get right of entry to if you’re going to, in reality, assist human beings. But as the Microsoft incident indicates, too much access in the wrong hands can cascade into a risky situation.

“We addressed this scheme, which affected a restrained subset of consumer bills, by disabling the compromised credentials and blocking the perpetrators’ access,” a Microsoft spokesperson advised WIRED. The business enterprise says that “out of an abundance of warning,” it has elevated danger monitoring for money owed impacted by the breach. Microsoft could not comment to WIRED on the scale of the attack or offer the full variety of impacted funds owed.

Without extra statistics from Microsoft, it’s hard to characterize the purpose of the attack. Email money owed may be precious to criminals; people frequently use them to install other debts, which means attackers can use the email account itself to reset passwords and compromise multiple services. Motherboard mentioned that the attackers did, in truth, use their access to break into iCloud accounts to disable iPhone activation locks. But with almost three months of getting right of entry at their disposal, it’s still uncertain whether or not the attackers have been targeting small-scale, focused intrusions or sweeping fraud.

“We have diagnosed that a Microsoft guide agent’s credentials have been compromised, permitting people outside Microsoft to get access to data inside your Microsoft email account,” Microsoft stated in a statement indicating that the attack was not the result of an insider threat. But that raises even additional questions.

“Sometimes a trouble is virtually difficult to diagnose over the telephone just by using explaining so that you want an excessive-privilege consumer a good way to leap into the account,” says Jeremiah Grossman. He labored as a statistics security officer at Yahoo for two years in the early 2000s and is now CEO of the corporate stock protection firm Bit Discovery. “But that customer service representative device must now not be remotely reachable over the internet; it ought to be an internal-only gadget. So how precisely did the adversary even hook up with [the Microsoft portal], let alone log in?”

Grossman also notes that Microsoft must have required customer support bills with massive access to apply two-factor or multifactor authentication, which could have helped save you from this issue in the first place. Unfortunately, Microsoft appears no longer to be the exception.

“We do quite a few consulting engagements in which we pass as much as any machine at an employer, call up the assist desk, and then can clutch the aid engineers’ credentials when they connect with the gadget and use them to access other servers—just like the CEO’s server,” says Dave Aitel, chief protection technology officer on the cozy infrastructure company Cyxtera. “In preferred, ‘assist’ is a huge protection hollow waiting to occur.”

The key to retaining a customer service gadget, Grossman says, is to create controls on how many people have a privileged account and get right of entry to and to carefully document all times when a consumer’s account is accessed for auditing. Engineering teams already use systems like that for conditions in which credentials need to be guarded closely, like debugging or law enforcement data requests.

If you acquired a notification email from Microsoft, you definitely should change your email account password and enable two-factor authentication if it isn’t always on. But it is tough for users to guard themselves while at the mercy of customer service protection they cannot manage. The least Microsoft ought to do is provide a clear picture of what occurred—and why.