back to article Microsoft admits: Yes, miscreants leafed through some Hotmail, MSN, Outlook inboxes after support rep pwned

Microsoft says miscreants accessed some of its customers' webmail inboxes and account data after a support rep's administrative account was hijacked. The Redmond software giant has sent Hotmail, MSN, and Outlook cloud users notifications that the unnamed customer support rep's account was compromised by hackers who would have …

  1. Crazy Operations Guy Silver badge

    "Microsoft did not say how the attackers were able to steal the support agent's account credentials"

    I'd imagine the same way that any other credentials might get stolen. Malware on their system, password reuse, flaw in the authentication system, etc. Or maybe the Support Rep was in on it. Maybe the hackers never had the Rep's credentials and just planted malware on their machine and hijacked the session.

    1. Anonymous Coward Silver badge
      FAIL

      Re: "Microsoft did not say how the attackers were able to steal the support agent's account credent"

      My guess would be spear-phishing.

      But that completely bypasses the issue of "why in the name of FSM is the system built so that an 'agent' can access whatever account they want?"

      Obviously doesn't affect me, you get what you pay for, etc etc. But still a shit situation

      1. phuzz Silver badge

        Re: "Microsoft did not say how the attackers were able to steal the support agent's account credent"

        This is an uninformed guess, but it could be because they've moved the consumer Hotmail over to the same system that Office365 uses (ie Exchage), which allows administrators (or whoever has been granted permission) access to mailboxes.

        I'm still not sure why a customer agent needs access to a mailbox, but I'd be willing to believe it was just a screw up assigning permissions.

  2. MadonnaC

    I only use hotmail for messages I don't want

    Classify as spam anyone not in my address book.

    Address book empty.

    Please, collect the thousands of junk email I get each day - it's not as if I read it.

  3. Mike Shepherd
    Meh

    Hmmm...

    ...customers whose inboxes were left exposed to the intruder will be getting additional "detection and monitoring"

  4. ma1010 Silver badge
    Coat

    But he's a MICROSOFT support guy

    And he's using an iPhone? Treason! He should be using a Windows Phone, the silly - what?

    Oh. Right. No more Windows phones.

    Carry on, then.

    1. Doctor Syntax Silver badge

      Re: But he's a MICROSOFT support guy

      "And he's using an iPhone?"

      Where does it say that? It says it was thought to be part of an attack on iCloud.

      I've not used iCloud but one possibility would be if iCloud uses an email address as and ID in which case Apple should go stand in the crowded naughty corner along with many others who think this is a good idea. The other possibility would be to impersonate the user to Applle support and try to persuade them to grant the scammer access.

  5. Ian Emery Silver badge
    FAIL

    Oh Dear

    3 months of rummaging through MicroGits systems and no one noticed.

  6. SVV Silver badge

    Microsoft discovers that someone has details of every Hotmail account

    If it helps, I think you'll find that SexyJovanka, 24, from Eastern Europe who loves you very much and would like to maryy you has had those details for years.

  7. Neil Barnes Silver badge

    I bet that...

    The number of emails I get asking me 'girls and hot womens?' or telling me that 'I've hacked your computer, so send me bitcoin' decreases by, um, not a lot.

    1. Korev Silver badge
      Joke

      Re: I bet that...

      A gay friend wanted Hotmail, he was a bit disappointed at how many women got in touch

      1. Anonymous Coward
        Anonymous Coward

        Re: I bet that...

        "A gay friend wanted Hotmail"

        Gay and American by that spelling

        1. Alister Silver badge

          Re: I bet that...

          What spelling? I can't see anything there that would be spelled differently whichever side of the Atlantic you are from?

        2. This post has been deleted by its author

  8. defiler Silver badge

    Remember the time?

    Remember when Hotmail had an authentication flaw where you could log into your own Hotmail account, and then simply change the URL and go scouring through any other Hotmail mailbox if you had the address? Back in those days you could pretty much laugh it off with a "whoops - we'll get that sorted". Changed days.

  9. DavidCarter

    Is there any decent reason why they don't have a customer lockbox requirement to allow access to see inside the mailbox, or a requirement in terms of line manager approval?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019