On Friday night, Microsoft sent notification emails to an unknown number of its individual email users—across Outlook, MSN, and Hotmail—warning them about a data breach. Between January 1 and March 28 of this year, hackers used a set of stolen credentials for a Microsoft customer support platform to access account data like email addresses in messages, message subject lines, and folder names inside accounts. By Sunday, it acknowledged that the problem was actually much worse.
After tech news site Motherboard showed Microsoft evidence from a source that the scope of the incident was more extensive, the company revised its initial statement, saying instead that for about 6 percent of users who received a notification, hackers could also access the text of their messages and any attachments. Microsoft had previously denied to TechCrunch that full email messages were affected.
“In general, ‘support’ is a big security hole waiting to happen.”
Dave Aitel, Cyxtera
It may seem odd that a single set of customer support credentials could be the keys to such a massive kingdom. But within the security community, customer and internal support mechanisms are increasingly seen as a potential source of exposure. On the one hand, support agents need enough account or device access to be able to actually help people. But as the Microsoft incident shows, too much access in the wrong hands can cascade into a dangerous situation.
“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access,” a Microsoft spokesperson told WIRED. The company says that “out of an abundance of caution” it has increased threat monitoring for accounts impacted by the breach. Microsoft would not comment to WIRED on the scale of the attack or provide the total number of impacted accounts.
Without more information from Microsoft, it’s difficult to characterize the purpose of the attack. Email accounts can be extremely valuable to criminals; people often use them to set up other accounts, meaning attackers can use the email account itself to reset passwords and compromise multiple services. Motherboard reported that the attackers did, in fact, use their access to break into iCloud accounts to disable iPhone activation locks. But with almost three months of access at their disposal, it is still unclear whether the attackers were focused on small-scale, targeted intrusions or sweeping fraud.
“We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account,” Microsoft said in a statement, indicating that the attack was not the result of an insider threat. But that raises even more questions.
“Sometimes a problem is really hard to diagnose over the phone just by explaining, so you want a high-privilege user to be able to jump into the account,” says Jeremiah Grossman, who worked as an information security officer at Yahoo for two years in the early 2000s and is now CEO of the corporate inventory security firm Bit Discovery. “But that customer support representative system should not be remotely accessible over the internet; it should be an internal-only system. So how exactly did the adversary even connect to [the Microsoft portal], let alone log in?”
Grossman notes, also, that Microsoft should have required customer support accounts with broad access to use two-factor or multifactor authentication, which could have helped prevent this issue in the first place. Unfortunately, Microsoft seems not to be the exception.
“We do a lot of consulting engagements where we go up to any machine at a company, call up the support desk, and then can grab the support engineers’ credentials when they connect to the machine and use them to access other servers—like the CEO’s server,” says Dave Aitel, chief security technology officer at the secure infrastructure firm Cyxtera. “In general, ‘support’ is a big security hole waiting to happen.”
The key to maintaining a customer support system, Grossman says, is to create controls on how many people have privileged account access, and to carefully record all instances where a user’s account is accessed for auditing. Engineering teams already use systems like that for situations where credentials need to be guarded closely, like debugging, or fulfilling law enforcement data requests.
If you received a notification email from Microsoft, then you should change your email account password and enable two-factor authentication if it isn’t already on. But it’s difficult for users to protect themselves when they’re at the mercy of customer support security they can’t control. The least Microsoft could do is offer a clear picture of what happened—and why.