The breach occurred at the beginning of this year after attackers compromised a customer support representative’s login credentials
Microsoft has confirmed that hackers targeted an unspecified number of users’ online email accounts across Outlook, Hotmail and MSN services for a period of three months after hacking a customer support account.
The incident took place after hackers compromised the login credentials of a technical support representative, and lasted from 1 January to 28 March of this year, Microsoft said.
The credentials gave the hackers access to some customers email information, including subject lines, identities of email recipients and the names of folders.
“The content of any emails or attachments” were not affected, nor were passwords, Microsoft said in an email sent to users.
“Upon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorized access,” Microsoft said in the email.
The company said it didn’t know why the hack occurred but warned users that they “may receive phishing emails or other spam mails” as a result.
While login credentials weren’t affected, Microsoft advised users to reset their passwords as a precautionary measure.
However, website Motherboard cited an unnamed source as saying that the hackers were able to access more data on some users, including the contents of emails.
Motherboard’s report said the hackers had been able to access more data on users with free accounts, while access was more limited for those with paid or enterprise accounts.
Microsoft confirmed the report, saying the additional data access affected a subset of those affected, about 6 percent. It said those users had also been notified.
“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access,” Microsoft said in a statement.
The company didn’t specify how many users were affected overall.
Microsoft didn’t indicate where the affected users were located, but included contact information for its EU data protection officer in the email to users, suggesting at least some of them were based in Europe.
“Microsoft regrets any inconvenience caused by this issue,” Microsoft said in the email.
The incident follows one of the biggest data breaches ever uncovered, when a security researcher in January uncovered a trove of some 773 million email addresses and passwords from multiple providers.
The credentials had been posted to a popular hacking forum in mid-December.