Microsoft discloses security breach that impacted some Outlook accounts

On Friday, Microsoft sent out notification emails to some users informing Outlook account owners of a breach the company suffered and which might have also impacted Outlook users directly.

According to Microsoft, between January 1, 2019, and March 29, 2019, a hacker, or group of hackers, compromised the account of a Microsoft support agent, one of the company's customer support representatives that handles technical complaints.

The OS maker said it disabled the compromised support agent's credentials once it learned of the unauthorized intrusion; however, the company said there might be a possibility that the hacker accessed and viewed the content of some Outlook users' accounts.

"This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments," Microsoft said in the email sent to customers.

However, former Microsoft engineers have contested this claim --that support agents can't view user's email content.

"They can see how many emails you have, where the database lies, email content, last person you emailed," one former engineer told ZDNet via encrypted chat.

Contacted by ZDNet, Microsoft confirmed that hackers did access the content of some user accounts. The company put the number at around six percent of the people who received an email notification.

Those users received "additional guidance and support," Microsoft said.

In the meantime, the company is recommending that users who received the email about this recent breach change their Outlook.com credentials, "out of caution," even if hackers did not access Outlook users' passwords.

ZDNet understands that the incident only affected a small number of Microsoft Outlook users and that Microsoft has also increased detection and monitoring for the affected accounts, just to be sure there's no unauthorized access for those accounts.

TechCrunch first reported and confirmed the hack earlier today.

Article updated on April 14, 18:25ET to include Microsoft confirmation.

Data leaks: The most common sources

More data breach coverage:

• Indian govt agency left details of millions of pregnant women exposed online
• Mailgun hacked part of massive attack on WordPress sites
• Card breach reported at Buca di Beppo, Planet Hollywood, and other restaurants
• Matrix.org hack forces servers offline, encrypted chat history lost
  
• Over 13K iSCSI storage clusters left exposed online without a password
• Chinese companies have leaked over 590 million resumes via open databases
• Facebook passwords by the hundreds of millions sat exposed in plain text CNET
  
• Facebook data privacy scandal: A cheat sheet TechRepublic