Hackers could read non-corporate Outlook.com, Hotmail for six months

Hackers and Microsoft seem to disagree on key details of the hack.

Hackers could read non-corporate Outlook.com, Hotmail for six months

Enlarge (credit: Getty / Aurich Lawson)

Late on Friday, some users of Outlook.com/Hotmail/MSN Mail received an email from Microsoft stating that an unauthorized third party had gained limited access to their accounts, and was able to read, among other things, the subject lines of emails (but not their bodies or attachments, nor their account passwords), between January 1st and March 28th of this year. Microsoft confirmed this to TechCrunch on Saturday.

The hackers, however, dispute this characterization. They told Motherboard that they can indeed access email contents and have shown that publication screenshots to prove their point. They also claim that the hack lasted at least six months, doubling the period of vulnerability that Microsoft has claimed. After this pushback, Microsoft responded that around 6 percent of customers had suffered unauthorized access to their emails, and that these customers received different breach notifications to make this clear. However, the company is still sticking to its claim that the hack only lasted three months.

Not in dispute is the broad character of the attack. Both hackers and Microsoft's breach notifications say that access to customer accounts came through compromise of a support agent's credentials. With these credentials the hackers could use Microsoft's internal customer support portal, which offers support agents some level of access to Outlook.com accounts. The hackers speculated to Motherboard that the compromised account belonged to a highly privileged user, and that this may have been what granted them the ability to read mail bodies. The compromised account has subsequently been locked to prevent any further abuse.

Read 2 remaining paragraphs | Comments

Former Microsoft employee gets 3 months in jail for leaking Windows 8 secrets

Microsoft investigated the leak by rummaging through a French blogger’s Hotmail account.

Earlier this week, a man accused of stealing trade secrets from Microsoft and handing them to a French blogger was sentenced to three months in jail and a $100 fine in the Western District of Washington.

Alex Kibkalo worked for Microsoft in the company's Russia and Lebanon offices. According to an FBI complaint filed earlier this year, Kibkalo leaked pre-release updates for Windows RT and a Microsoft-internal Activation Server SDK to a French blogger in retaliation for a poor performance review. The blogger allegedly asked a third party to verify the stolen SDK, but that third party, who connected with the blogger via Hotmail, alerted Microsoft of the theft instead.

At that point, Microsoft launched its own internal investigation and searched the Hotmail account to find the blogger and his source. The company's investigation team was soon able to trace back to Kibkalo and then discovered that he had created a virtual machine on Microsoft's corporate network from which he uploaded the stolen goods to SkyDrive. When confronted, Kibkalo admitted to handing over software, company memos, and other documents. He was fired and later arrested.

Read 3 remaining paragraphs | Comments