Look Out: Your Microsoft Account Could Be Used to Steal Cryptocurrency!
If you're an Outlook user who has some cryptocurrency stored in an online exchange account, now would be a good time to log in to the said exchange account and make sure that everything is where it should be. As you may remember, in mid-April, Microsoft admitted that its email service had been breached and that hackers had gained unauthorized access to some of the users' information. Right now, victims are realizing that they have lost thousands of dollars in cryptocurrency because of the breach. Before we dive into the details, let's remind ourselves what happened a couple of weeks ago.
The Outlook breach
It all began when some Outlook users received notifications telling them that after phishing the login credentials of a support agent, hackers had been able to gain access to some of their personal information. The attack started in early 2019 and continued through to the end of March, and Microsoft was quick to assure users that the exposed information consisted of email addresses and metadata. According to the notification, the attackers had no way of reading emails or opening attachments. This, it quickly became apparent, was not strictly true.
An investigation by Motherboard's Joseph Cox revealed that contrary to what Microsoft was saying, the attackers did gain full access to some users' inboxes. After being presented with cold-hard evidence, the software giant had no other choice but to admit that this was indeed the truth.
Joseph Cox had sources close to the perpetrators of the attack who told him that after infiltrating users' inboxes, the crooks compromised the iCloud accounts of people who have had their iPhones stolen. They then changed some security settings which made selling the pilfered devices much easier.
This doesn't sound like something everyone should be worried about. It certainly doesn't concern the people who don't have iPhones. It turns out, however, that this was not the only attack the Outlook crooks tried to pull off.
Hackers used Outlook accounts to steal cryptocurrency
Once again, the report comes from Motherboard's Joseph Cox. His attention was drawn by users who complained on social media about losing money because of the Outlook breach. Multiple people used Reddit and other discussion boards to report more or less the same attack.
All of them owned some cryptocurrency which was stored in online exchange accounts, and all of them had received notifications from Microsoft which said that they had had their Outlook inboxes compromised. Apparently, they all lost thousands of dollars' worth of crypto coins.
How did it happen?
The attack was as simple as it was clever. The hackers would first use victims' email addresses to determine how many of them had accounts at popular cryptocurrency exchanges. Most of the people complaining were using the Kraken exchange at the time, though we won't be surprised if it turns out that users of other trading platforms are involved. Because they had access to the victims' inboxes, the hackers had no problems resetting the exchange accounts passwords and making off with all the digital money. The really clever bit, however, comes from the fact that throughout the whole process, the victims were none the wiser.
At no point did the victims lose access to their Outlook accounts which means that under normal circumstances, they would have been able to see the password reset emails from Kraken and would have therefore known that something's up. To make sure this didn't happen, the hackers fiddled around with the settings of the victims' inboxes. They set up rules which would redirect any messages that contained words like "Kraken" to a Gmail account controlled by the attackers. The said messages would then be deleted. As a result, the hackers would be able to complete the heist, and the password reset and withdrawal confirmation emails would end up in the Trash folder where the victims would fail to see them.
Yet more proof of how important two-factor authentication is
On March 26, Kraken's Chief Security Officer, Nick Percoco said that Two-Factor Authentication is becoming mandatory for all users of the cryptocurrency exchange. If this announcement was made several months earlier, it would have probably saved the thousands of dollars that victims lost due to the Outlook data breach.
The hackers did indeed have access to the victims' inboxes which enabled them to reset the passwords and make off with the money, and their skills allowed them to do it stealthily. The use of two-factor authentication, however, would have rendered the attack entirely ineffective.
One of the victims (link in Dutch) admitted that he hadn't turned on two-factor authentication because he was using a password manager and had strong, unique passwords for all his accounts. Here's hoping that he, as well as the rest of the victims, have now learned their lesson.
Microsoft's reaction leaves a lot to be desired
Two-factor authentication wasn't mandatory when the attack started, and it was up to the users to turn the feature on. That said, we can't put all the blame on them. After all, this whole thing wouldn't have happened if it wasn't for the breach of Outlook's systems, and it must be said that Microsoft isn't showing us a textbook example of how this sort of incidents should be handled.
In fact, people are growing increasingly unhappy with the way Microsoft reacts to the whole saga. As we mentioned already, the Redmond-based giant made some statements in the initial data breach notification which later turned out to be inaccurate. Right now, when people are complaining that they have lost considerable sums of money because of the Outlook incident, it's keeping rather quiet.
Some of the victims are saying that they'll seek legal actions against Windows' creator, though they themselves admit that from a financial standpoint, they are unlikely to give Microsoft that big of a headache. When it comes to the company's reputation, however, the damage could turn out to be much more significant.