Wave Systems Corp. (fka WAVXQ)

[Genz2]

Microsoft reveals hackers accessed some Outlook.com accounts for months

https://www.theverge.com/2019/4/13/18309192/microsoft-outlook-email-account-hack-breach-security

Microsoft has started notifying some Outlook.com users that a hacker was able to access accounts for months earlier this year. The software giant discovered that a support agent’s credentials were compromised for its web mail service, allowing unauthorized access to some accounts between January 1st and March 28th, 2019. Microsoft says the hackers could have viewed account email addresses, folder names, and subject lines of emails, but not the content of emails or attachments.

It’s not clear how many users have been affected by the breach, or who was involved in obtaining access to Outlook.com email accounts. “Our data indicates that account-related information (but not the content of any e-mails) could have been viewed, but Microsoft has no indication why that information was viewed or how it may have been used,” says Microsoft in an email to affected users.

The hackers weren’t able to steal login details, or other personal information, but out of caution Microsoft is recommending that affected users reset their passwords. “Microsoft regrets any inconvenience caused by this issue,” says the security notification. “Please be assured that Microsoft takes data protection very seriously and has engaged its internal security and privacy teams in the investigation and resolution of the issue, as well as additional hardening of systems and processes to prevent such recurrence.”

This security incident comes weeks after a former security researcher pled guilty to hacking into Microsoft and Nintendo servers. Microsoft’s Windows development servers were breached for a number of weeks in January, 2017, allowing hackers across Europe to access pre-release versions of Windows.

Microsoft confirmed the breach in a statement to The Verge, but the company isn’t revealing exactly how many accounts were affected. “We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access,” says a Microsoft spokesperson.

Update, April 13th 12:05PM ET: Article updated with Microsoft statement.

- see link for Microsoft's statement...
=================================================================
Wave VSC 2.0 and an activated TPM is needed in so many critical areas. Events like this wouldn't have happened with Wave VSC 2.0! Not quite sure why Microsoft didn't have Windows Hello enabled on that support agent's computer (maybe it was a Windows 7 machine which Wave VSC 2.0 can run on; along with Windows 8, 8.1 and 10).
=================================================================
https://www.wavesys.com/products/wave-virtual-smart-card

Excerpts:

One helpdesk call you'll never get: "I lost my virtual smart card again..."

There are so many ways to lose a token – couch cushions, street drains, curious toddlers. In fact, up to 30% of all tokens are eventually lost. It’s much harder to lose a laptop, and you notice a lot faster when you do.

The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.

When we say “secure”…

…we mean it. Our solution starts with a proven hardware root-of-trust. Multi-factor authentication is an established best-practice for strong authentication: the TPM-based virtual smart card is one factor (something you have) and the user PIN is a second factor (something you know).