Microsoft Outlook hack gave full access to email contents

Hackers stole login credentials for a Microsoft customer support agent and were able to read emails from people using services like Outlook, Hotmail and MSN.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read
Microsoft Outlook on a smartphone screen

Microsoft sent a warning to Outlook users detailing a hack that lasted from Jan. 1 to March 28. 

Josh Miller/CNET

Microsoft's Outlook hack is worse than the company originally warned.

Despite Microsoft's initial notification to affected Outlook users on Friday, a follow-up statement added that hackers were able to read email content.

The company first released a statement on Friday to Outlook users, notifying people that a hacker had had access to emails for months after stealing login credentials for a Microsoft customer support agent.

The breach, first reported by TechCrunch, allowed potential hackers to access people's emails and read folder names, subject lines and names of other email addresses. Microsoft said it's since disabled stolen access to the hacked customer support agent's account.

Watch this: Cyberattack: How we were phished by professional hackers

The hacker had access to email accounts from Outlook, MSN and Hotmail between Jan. 1 and March 28, Microsoft said. The hack did not affect enterprise accounts, it added.

"We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators' access," Microsoft said in a statement. 

The company did not state how many people were affected, but said it was "a limited number of consumer accounts."

In its first notification to customers, Microsoft said no login credentials were stolen and that the attackers could not read the contents of emails.

Microsoft was forced to revise its statement after Motherboard found that the attackers had full access to email content. The company did say that potential hackers could only read full email content for about 6% of affected Outlook users.

In response to the breach, Microsoft is warning affected people to watch out for phishing emails, and recommends that people change their password. In a blog post from April, Microsoft said that it saw an average of 300,000 phishing attempts in February alone. 

Originally published April 15, 7:14 a.m. PT.
Update, 9:07 a.m.: Adds response from Microsoft.