Microsoft has recently admitted that its Outlook.com security breach was worse than the company initially revealed. Microsoft’s notification revealed that hackers could have viewed account email addresses, folder names, and subject lines of emails, but in a separate notification to other affected users the company also admitted email contents could have been viewed.
Vice’s Motherboard revealed on Sunday that Microsoft sent a different notification message to around six percent of the affected Outlook.com accounts, and that the company only admitted this when it was presented with screenshot evidence that the breach was far worse for those customers.
Microsoft discovered that a support agent’s credentials were compromised for its web mail service, allowing unauthorized access to some accounts between January 1st and March 28th, 2019.
Motherboard claims hackers have been able to access some accounts for up to six months, and have used the access to reset iCloud accounts linked to stolen iPhones.
A Microsoft spokesperson tells The Verge “the claim of 6 months is inaccurate,” and pointed towards the company’s notification that mentioned access between January 1st and March 28th, 2019. Microsoft also clarified that the vast majority of Outlook.com accounts that were affected according to the reports of The Verge.
Microsoft has still not revealed how many accounts were affected during the attack.