Microsoft Alerts Email Users; Hacker Gang Closes In on One Billion Records Sold

Microsoft alerted Outlook.com users of a hacker obtaining access to accounts earlier this year; and a cybercriminal gang continues its quest to sell the data of one billion users.

The tech giant revealed the compromising of a support agent’s credentials for its web mail service, allowing unauthorized access to some accounts between January 1 to March 28, 2019.

According to an email sent to most affected users and then posted online, Microsoft said hackers possibly viewed account-related information but not the content of any e-mails. “Microsoft has no indication why that information was viewed or how it may have been used.” Some outlets reported the breach affected 6% of Outlook accounts (Lifewire reported 400 million active users as of early 2018). Microsoft later confirmed to Motherboard that hackers gained access to the content of some customers’ emails.

A hacker or group of hackers first broke into a customer support account for Microsoft, and then used that to gain access to information related to customers’ email accounts such as the subject lines of their emails and who they’ve communicated with.

Patrick Hunter, a Director at Aliso Viejo, Calif.-based One Identity, said “This latest breach highlights the fact the organizations, even the size of Microsoft, need to understand that every point of access to their network and systems needs to be secured. Hackers are looking for that all-important privileged account, that one account that can lead them either to the data that they’re after or to the next stepping stone.”

Hunter added, “GDPR is starting to force companies to take data protection seriously but in the case of Microsoft, where they do take it very seriously, there is still work to be done to protect our personal data from hackers.” The One Identity director suggested accounts with access to personal data or privileges should receive protection with multi-factor authentication but, even better, locked away under lock and key with a form of password store.

“There’s no doubt that Microsoft is scrambling to find out how the credentials were compromised, and to make changes so it doesn’t happen again.” Tim Erlin, VP, product management and strategy at Portland, Ore.-based Tripwire, pointed out, “While there’s a certain amount of schadenfreude in discussing the security failings of a company like Microsoft, these types of incidents should really force every organization to evaluate how they’ve implemented their own security controls. There’s a reason that incident response is part of cybersecurity. Prevention is the ideal, but compromise remains the reality.”

Robert Vamosi, senior product marketing manager, San Francisco-based ForgeRock, said, “When large corporations like Microsoft are compromised by malicious third parties, it should serve as an example to organizations everywhere that no one is safe from cyberattacks.” Affected users, Vamosi held, are now susceptible to highly targeted spear phishing attacks by tricking users into opening email and possibly malicious documents containing malware. Even though login credentials were unaffected, users should consider changing their passwords and enabling multi-factor authentication features if they have not already. All users should make sure to check the sender’s email addresses of emails they receive to make sure they are legitimate.”

Vamosi added “Companies that suffer data breaches due to compromised employee accounts should consider implementing single sign on capabilities within their organization, as SSO also allows for improved security, especially when coupled with multi-factor authentication.”

As with all data breaches and/or events the risk could extend to credit unions and other financial institutions.

According to ZDNet, a hacker, named Gnosticplayers, who wanted to put up for sale the data of over one billion users is getting dangerously close to his goal after releasing another 65.5 million records recently and reaching a total of 932 million records released.

“With the recent release of records, Gnosticplayers has compromised nearly one billion records in just two months. This doesn’t impact a single industry; this is a widespread issue that organizations need to take seriously and it’s time companies learn how to defend their attack surface against these cyberattacks.” Kevin Gosschalk, CEO and co-founder, of San Francisco-based Arkose Labs, maintained.

“Since mid-February, the hacker has been putting batches of hacked data on Dream Market, a dark web marketplace for selling illegal products, such as guns, drugs, and hacking tools,” ZDNet reported.

The hacker claimed responsibility for the breaches of 44 companies. Previously releases came in four rounds: 620 million user records, 127 million, 93 million, and 26.5 million, and contained data from companies like Toronto, Canada-based online photography community 500px, American apparel company UnderArmor, content-sharing widget ShareThis, video hosting company GfyCat, and genealogy platform MyHeritage.

The latest round contained data from six companies: gaming platform MindJolt, digital mall company Wanelo, e-invitations and RSVP platform Evite, South Korean travel company Yanolja, women’s fashion store Moda Operandi, and Apple repair center iCracked.

Gosschalk said, “We’ve been talking about the hacker, Gnosticplayers, for a few months, yet companies still fail to defend against attacks. After analyzing the type of companies targeted, there is no rhyme or reason other than their penetrable security.”