Victims of Microsoft's Outlook hack were reportedly targetted for their use of Bitcoin. According to Motherboard, one user lost a Bitcoin, worth $5000, after attackers gained access to his email and set up a forwarding rule.
After prompting a reset of the crypto exchange account, attackers set a rule to send the confirmations to a Gmail address controlled by them. As forwarding rules are hidden behind several sub-menus, it would be difficult to notice.
“The hackers also had access to my inbox allowing them to password reset my Kraken.com account and withdrawal [sic] my Bitcoin,” user Jevon Ritmeester told Motherboard. “I think Microsoft talks about this way to lightly [sic] about this leak and I think there are a lot of users who have suffered damage in one way or another as there is a lot of sensitive information in an inbox.”
“Cover up” Claims
Microsoft originally told users hackers could see the subject lines of emails and the names of people in the conversations, with 6% of users possibly having their email content compromised. A source later told Motherboard that hackers could gain access to any email account as long as it wasn't corporate, with access to a large number of emails.
The source provided Motherboard with screenshots of the hack before the story broke. they said the Outlook customer support account that was compromised could, in fact, see the email body, as it was highly privileged.
On Reddit, users chimed in with similar Bitcoin-related stories. u/shinratechlabs claims they lost 25,000 in crypto, while u/mickey_ficke says he lost a smaller amount of crypto and got no support from Microsoft on the issue.
The company now tells its users to get in touch if they were impacted in a way outside of its breach notification. However, Ritmeester says he's considering legal action. Though he did not have two-factor authentication on his crypto accounts, they wouldn't have been compromised if not for the hack.
“I feel Microsoft is trying to cover up and is not taking this seriously,” he said. “I am planning to at least file a police report and thinking about holding Microsoft liable for the financial damage and the fact that a lot of my personal information may get leaked in the near future.”