Posts

Microsoft announced a data breach that gave hackers limited access to some of its customers’ email accounts. The hackers were able to see email addresses, subject lines of emails, and folders, but not open any emails or their attachments. They also were not able to obtain the customers’ passwords. Essentially, the hackers were able to do the same exact thing as looking over your shoulder in a coffee shop while your email inbox screen was open.

So what’s the big deal?

First, any time an outside agent is able to access a company’s stored data—especially information on its customers—that’s a big deal. In this case, a hacker compromised the login credentials of a customer service agent. The history of data breaches is filled with examples of cybercriminals reaching their intended target by going through this kind of side door, so to speak.

Read next: New Tool Breach Clarity Helps Consumers Make Sense of Data Breaches

Also, compromising someone’s login credentials should be a difficult-to-impossible task if the right security measures are in place. Microsoft has not provided details on how the credentials were compromised, or even whether or not it was a Microsoft employee or a third-party customer service provider. If someone was able to “guess” the username and login using readily-available hacking software, then the password wasn’t strong enough. If the hackers obtained the credentials from a previous data breach, then those credentials are being reused and not being updated routinely. If they got the credentials through a phishing scam, then the employee may not have been adequately trained on security practices and protocols.

Finally, this event is a big deal because it serves as yet-another warning about password security, email strength, and data breach fatigue. If your first response to the announcement from Microsoft was, “Here were go again…yawn,” then you may be experiencing data breach fatigue. If you read the announcement and thought, “Well, thank goodness it was just the email addresses!” you may be feeling numb to certain kinds of cybercrimes.

It’s important that customers take all data breaches and hacking attempts seriously. Microsoft has locked down the credentials on accounts that it believes were affected—in order to block any potential access the hackers may gain—but urges all Microsoft account users to change their passwords. Password strength, including frequently changing your passwords, is one of the most important things consumers can do to protect themselves from cybercrimes.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Payment App Protection: Keep Scammers Out of Your Accounts