Microsoft revealed on Wednesday that one of its internal customer support databases had been compromised, following an investigation by the corporation's security group.
According to its security response website, the technology giant said it didn't believe that the data breach had exposed personally identifiable information. "We want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable.
Microsoft confirmed as part of its statement that it has begun sending notifications to customers whose data was present in this redacted database.
This incident, however, along with other data breaches announced by large organizations, shows how easy it is for data to become compromised whether because of human error or cyberattacks. Also on Wednesday (January 22), the Cybersecurity and Infrastructure Security Agency (CISA) put out a warning to businesses and consumers alike about an increase in targeted malware attacks—specifically Emotet, a sophisticated Trojan—infiltrating email chains using virus-riddled attachments to proliferate within a network by using "user credentials and writing to shared drives."
![Microsoft logo](https://cdn.statically.io/img/d.newsweek.com/en/full/1562566/microsoft-logo.jpg?w=1200&f=f7a91319fc52d0c695eb4d7b0ae8f63c)
"Emotet malware is typically distributed via malicious emails that have inline links or attached macro documents," Kimberly Goody, senior manager, cybercrime analysis at FireEye, told Newsweek. "While Emotet does use more generic lures like invoice and payment themes, its ability to hijack existing email threads is more problematic.
"By leveraging existing communications and using those essentially as their email template, they create a stronger sense of authenticity to the recipients." Goody goes further with her explanation, saying that because of this, everyone is a potential target with the use of "automated personalization" making it harder to spot by unsuspecting victims.
![Credit cards data lost information](https://cdn.statically.io/img/d.newsweek.com/en/full/1562572/credit-cards-data-lost-information.jpg?w=1200&f=43810e084e3e3d754ae972a429a5e9d9)
But why should Americans be worried about this? Victor Acin, a threat intelligence analyst from Blueliv explained to Newsweek: "The black market for stolen credentials is huge—they are sold for good money in hidden areas of the Internet." He goes onto say that for cybercriminals, a valid login and password combination is basically a key that opens doors to a myriad of illegal activitie, from "blackmail to fraud," usually with the end goal of making a financial profit.
"The vast majority of hacking-related security breaches use either stolen or weak passwords and there's very little a user can do if a criminal has the right password," Acin continues. "Cybercriminals have several techniques to steal user credentials such as phishing, installing malware or creating fake websites."
How do you find out whether your account has been hacked?
According to the Identity Theft Resource Center, 1.6 billion records have been leaked since 2005—that is nearly five times the size of the U.S. population.
What this means is there's a good chance that a person's details have been leaked at some point in time. Thankfully, there are several ways a consumer can find out whether their details have been compromised and how they can do something about it.
While companies usually inform their customers when there has been a data breach, it is worth being proactive. HIBP has been logging data breaches since its inception in 2013. Run by Troy Hunt, a blogger at troyhunt.com and international speaker on web security, the website helps people identify whether their credentials—email address mainly— have been compromised by aggregating information on breaches as they happen or are revealed.
When people put their email address into the search function on the home page, they are shown whether the domain has suffered a breach and whether the personal information has been "pasted." This refers to information put on a publicly facing website designed to share content such as Pastebin. According to HIBP, these services are favored by hackers due to the ease of anonymity.
For breaches involving financial information—such as the Wawa data breach or medical information such as the data breach of U.S. marijuana dispensaries—more often than not businesses that have been compromised will offer their customers compensation or free access to credit companies such as Experian.
![Concerned Caller](https://cdn.statically.io/img/d.newsweek.com/en/full/1562574/concerned-caller.jpg?w=1200&f=10eed40082a8582cc515a271bb7dd057)
If at any time someone suspects they have been the victim of fraud or have had their data compromised, they can report it to the following organizations, according to the official U.S. government website:
- Contact the Consumer Financial Protection Bureau about problems with mortgages, credit and loan-related fraud including money transfers, student loans, credit reports, and other financial services
- Report identity theft, when someone steals your personal information to apply for credit, file taxes, and commit other fraudulent acts, to IdentityTheft.gov
- Submit a complaint to the Internet Crime Complaint Center (IC3) when a scammer uses fake email, text messages, or copycat websites to try to steal your identity or personal information
- File a report with the Department of Health and Human Services' (HHS) Inspector General about scammers who try to get your personal information or Medicare number to steal your identity and commit Medicare fraud
- Report imposter scam calls or text messages online
If you have been impacted by a data breach, Acin advises the following: "Users need to be extra vigilant by using a different password for each account, changing passwords often and making them as complex as possible—a combination of letters, numbers and symbols all help."
Correction 1/28/2020, 11:53 a.m. ET: This article was updated to remove incorrect information provided by software company Specops and its PR company Journalistic which suggested that numerous customer data breaches had occurred at companies including Deliveroo, Elvie, IBM, Apple and HSBC.
Uncommon Knowledge
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.
Newsweek is committed to challenging conventional wisdom and finding connections in the search for common ground.
About the writer
Sophia Waterfield is a reporter for Newsweek based at its London bureau. She has written for publications such as Metro UK, ... Read more