According to Microsoft, the issue went unnoticed for three months before it closed the vulnerability. Microsoft have downplayed the issue by stating that the information viewable was limited, but recent news has brought this claim into question.

What Happened?

Outlook was left vulnerable through a third-party support agent with compromised credentials — a customer support portal, according to one source. Hackers had access to email information for some users between January 1 and March 28, 2019. Microsoft hasn’t revealed how many users were affected by the data leak, aside from stating that it is a “limited subset” of the total Outlook users.

What Details Could the Hackers See?

Not all email details were available to hackers, according to early reports. The vulnerable details definitely included email addresses, folder names, and email subject lines. Not included, according to Microsoft: Text from the body of any emails, any login information or passwords, and any attachments within any emails. Here’s what Microsoft said: However, that initial statement might have under reported the issue.

Could Hackers Access Email?

An anonymous source has told Vice’s Motherboard a different story, saying that the full text of email bodies were vulnerable in some cases. When confronted with these claims by Motherboard, Microsoft told them hackers could indeed have accessed the body of emails received by “around 6 percent of a small number of impacted customers.” According to Motherboard’s source, paying enterprise users’ accounts weren’t affected, while consumer users’ accounts were. Granted, that anonymous source hasn’t been proven entirely accurate: They claimed the data breach left users vulnerable for “at least six months,” while Microsoft hasn’t backed down on their assertion that the data was only accessible from the beginning of January until March 28. Whatever the case, there’s no ignoring how meaningful the information that leaked could be.

Are Outlook.com users now safe?

Microsoft has stated through a spokesperson that they’ve disabled any “compromised credentials” and “block[ed] the perpetrators’ access.” It looks like Outlook.com users are now secure, for a certain definition of the word. At this point, we’ve seen so many high-profile data breaches in the past few years that a sense of fatigue has set in among some. Nevertheless: Outlook.com users should change their passwords, just as a precaution.