Outlook.com breach allowed hackers to read (some) emails for months

Image credit: Microsoft

There’s some bad news for Outlook.com users, as it's emerged that the webmail service has been compromised and some folks have had their accounts hacked, with the perpetrators even able to read emails in a limited number of cases – despite Microsoft’s initial denial that email content was viewable.

Details of the security breach were revealed when TechCrunch ran a report claiming that some Outlook.com accounts – and those with Hotmail email addresses (the old name for Outlook.com) or MSN.com users – had been compromised.

Apparently the hackers managed to get hold of a customer support tech’s login credentials, which they used to access the various consumer user accounts (paid business accounts weren’t affected).

Microsoft clarified that this “affected a limited subset of consumer accounts” and that the malicious activity began at the start of January 2019 and ran through to almost the end of March, so essentially lasted three months.

However, Microsoft said the hackers could only see the user’s email address, folders, and subject lines of messages (as well as addresses the user has emailed), but that they couldn’t actually read the contents of an email, or view attachments (or indeed gain access to the login credentials of the account).

The worry was that even limited information like email subject lines could enable malicious parties to concoct a more convincing phishing scam to aim at the user whose email they have (and they could also employ extra details like the names of friends, gleaned from the email addresses the user has contacted).

Emails have been read

However, it then emerged that matters were worse than Microsoft first admitted:  Motherboard spoke to a source who claimed that a ‘large number’ of accounts were affected, and what’s more, in some cases, contents of emails were read by the hackers – and Microsoft subsequently confirmed the latter was true.

Specifically, Microsoft admitted it had sent notifications of a security breach to some users which informed them that their email content had (potentially) been read, but that this only applied to a small amount of the affected users, around 6%.

We don’t know how many accounts that is, because Microsoft didn’t provide an estimate of the overall number of users who were hit by this hack.

Motherboard’s source further claimed that the hackers actually had access to emails for around six months prior to March, but Microsoft firmly denies that.

Despite the perpetrators not gaining access to account passwords, Microsoft is still recommending that if you’ve been affected, you should change your password just as a precautionary measure. Of course, if you have been affected then you should have had an email informing you of this by now.

It’s also worth underlining that it could be a good idea to keep an eye out for potential scam or phishing emails, because as we’ve already mentioned, the data gleaned from your email account – even things as simple as subject lines – could well be used to fashion a much more convincing attack to attempt to deliver malware onto your PC.

Darren is a freelancer writing news and features for TechRadar (and occasionally T3) across a broad range of computing topics including CPUs, GPUs, various other hardware, VPNs, antivirus and more. He has written about tech for the best part of three decades, and writes books in his spare time (his debut novel - 'I Know What You Did Last Supper' - was published by Hachette UK in 2013).

Latest in Cyber Crime
A person scanning a QR code on a smartphone
Quishing is the new QR code scam you need to watch out for – here's how to stay safe
Ransomware on the rise: how small and medium-sized businesses can achieve cyber resilience during turbulent times
Ransomware on the rise: how small and medium-sized businesses can achieve cyber resilience during turbulent times
Text Phishing Scams
Do not fall for this dangerous Amazon shopping scam
Cyber-security
Safeguarding against next-gen cyber risks
The North Face jacket
Thousands of North Face customers accounts hacked, personal data stolen
Smartphone hacked with data flow in the background
9 signs your phone has been hacked
Latest in News
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC
Oura Ring 4
Activity tracking on Oura Ring is about to get a whole lot better, but I've got bad news about your step count
Google Maps on a phone being held in someone's hand
Google Maps is getting two key upgrades, for easier route planning and quicker access to Gemini AI
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Gemini on a smartphone.
Gemini 2.5 is now available for Advanced users and it seriously improves Google’s AI reasoning
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025