Microsoft Claimed A Security Breach Didn't Compromise Email Messages -- It Did

Photo: AP

A series of security reports published over the weekend have raised serious concerns about Microsoft’s transparency in the wake of a recent data breach.

On Saturday, TechCrunch reported that hackers had gained access to the company’s email service after compromising a customer support account. Microsoft has confirmed that a people using MSN.com, Hotmail.com, and Outlook.com accounts were affected, though it’s unclear how many.

The company contacted at least some affected users and assured them that the “content of any emails or attachments” had not been accessed. Regardless, it asked them to change their passwords.

The breach, Microsoft said in an email to some customers, was limited to some metadata, including folder names and email account names, plus some limited content, e.g., the subject lines of emails. In a statement to TechCrunch, it also described the number of accounts affected as “a limited subset of consumer accounts.”

One email to customers read, in part: “Our data indicates that account-related information (but not the content of any emails) could have been viewed, but Microsoft has no indication why that information was viewed or how it may have been used.” (Note: Email subject lines are actually considered content, not metadata, in the eyes of the law.)

But when TechCrunch approached Microsoft about the breach, Mirosoft appears to have kept the worst part of the news to itself — that actual email messages were compromised in some cases. Motherboard followed up, thanks to a leak, describing the full scope of the incident:

“[T]he issue is much worse than previously reported, with the hackers able to access email content from a large number of Outlook, MSN, and Hotmail email accounts, according to a source who witnessed the attack in action and described it before Microsoft’s statement, as well as screenshots provided to Motherboard.”

In response to Motherboard’s inquiries, Microsoft admitted that hackers had, in fact, gained access to the content of some customers’ emails. It also said customers whose emails had been compromised in this way had been notified — a sign that it was aware that the problem was bigger than it had let on when first questioned by TechCrunch.

It’s not a good look. While the company now claims that the content of only 6 per cent of the accounts accessed by the hackers had email messages compromised — 6 per cent of what, you might ask; the company hasn’t said — it’s credibility is now in questions thanks to its failure to be upfront about the extent of the damage.

Microsoft had the opportunity on Saturday, when first approached by TechCrunch, to be completely transparent. But it wasn’t until someone leaked Motherboard information that Microsoft came clean and fessed up.

“Really, what did Microsoft think would happen,” Motherboard report Joseph Cox tweeted. “Only tell reporters about the metadata exposure, and then... just expect it to look ok when someone found out about the email content? Trying to keep parts of a breach under wraps is never a good look.”

The finer details of how the breach occurred in the first place remain for the most part unclear. Gizmodo has pressed Microsoft for additional details but did immediately hear back.

Since nearly every company is bound to experience a security breach of some kind at some point, how the company chooses to respond publicly, and whether it’s fully transparent with the victims, counts for a lot. It can mean the difference between consumers being complete outraged in the wake of a breach or grateful that a company took immediate and appropriate action.

Microsoft doesn’t have long to explain itself and we’ll update if they do.

[TechCrunch, Motherboard]

Trending Stories Right Now