If you haven’t already heard, Hackers compromised Microsoft support agent’s credentials to access customer email accounts, according to an article on TechCrunch. The article states that “Microsoft has confirmed to TechCrunch that a certain limited number of people who use web email services managed by Microsoft — which cover services like @msn.com and @hotmail.com — had their accounts compromised.”
“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access,” said a Microsoft spokesperson in an email. The article goes on to say that Microsoft has not explained how the credentials got compromised.
There’s this one term you almost always hear with a successful cyber-attack of any kind: compromised credentials.
Do know what compromised credentials means? It’s code for they got phished. How else do credentials get compromised?
Most credentials are compromised because some other credentials were compromised first. Sure enough, according to an article on Vice.com, “the Microsoft support account used belonged to a high privileged user, meaning they likely have more access to material than other employees.”
The reason Microsoft hasn’t explained how it happened is they don’t want to cop to the fact that they got phished. After all, that could be a big security hit to their reputation. Ironically, Microsoft cautioned their users that they might get more phishing emails as the result of the breach.
“You should be careful when receiving any e-mails from any misleading domain name, any e-mail that requests personal information or payment, or any unsolicited request from an untrusted source,” the company said. Too bad they don’t take their own advice.
You would think that after 773 million emails and tens of millions of passwords got leaked in January, Microsoft would be a little more vigilant about security in general and phishing protection in particular. It’s not like they don’t know that phishing is responsible for 70-90% of all successful malicious data breaches. And it’s not like the technology to prevent phishing attacks doesn’t exists or even costs a lot to implement.
Small businesses with up to 100 employees can protect them all with cloud-based phishing protection for less than 50 bucks a month. What’s keeping Microsoft and other large companies from doing the same? Maybe they just like using the term compromised credentials.