Microsoft has confirmed that hackers were able to access customers' web-based email accounts for a period of three months at the beginning of the year. Between January 1 and March 28, unknown hackers hit the accounts of various Microsoft email services.
The company is in the process of sending notifications to those who have been affected by the issue and it recommends users change their account passwords.
See also:
Microsoft says that a "limited subset" of consumer account where affected, and the hackers have now been stopped. The attack affected @msn.com, @hotmail.com and @outlook.com email addresses, but Microsoft is keen to stress that while the hackers may have been able to access email addresses, folder names and email subject lines, the content of emails -- including attachments -- was not accessed.
TechCrunch shares an email sent out to users by Microsoft:
Microsoft is committed to providing our customers with transparency. As part of maintaining this trust and commitment to you, we are informing you of a recent event that affected your Microsoft-managed email account.
We have identified that a Microsoft support agent's credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account. This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments, between January 1st 2019 and March 28th 2019.
Upon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorized access. Our data indicates that account-related information (but not the content of any e-mails) could have been viewed, but Microsoft has no indication why that information was viewed or how it may have been used. As a result, you may receive phishing emails or other spam mails. You should be careful when receiving any e-mails from any misleading domain name, any e-mail that requests personal information or payment, or any unsolicited request from an untrusted source (you can read more about phishing attacks at https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/phishing).
It is important to note that your email login credentials were not directly impacted by this incident. However, out of caution, you should reset your password for your account.
Microsoft has not said how many accounts were affected by the incident, nor has it given any indication of who may have been responsible. In addition to the email sent to customers, Microsoft's only further comment is a statement in which it says: " We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators' access".
Microsoft has confirmed that hackers were able to access customers' web-based email accounts for a period of three months at the beginning of the year. Between January 1 and March 28, unknown hackers hit the accounts of various Microsoft email services.
The company is in the process of sending notifications to those who have been affected by the issue and it recommends users change their account passwords.
See also:
Microsoft says that a "limited subset" of consumer account where affected, and the hackers have now been stopped. The attack affected @msn.com, @hotmail.com and @outlook.com email addresses, but Microsoft is keen to stress that while the hackers may have been able to access email addresses, folder names and email subject lines, the content of emails -- including attachments -- was not accessed.
TechCrunch shares an email sent out to users by Microsoft:
Microsoft is committed to providing our customers with transparency. As part of maintaining this trust and commitment to you, we are informing you of a recent event that affected your Microsoft-managed email account.
We have identified that a Microsoft support agent's credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account. This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments, between January 1st 2019 and March 28th 2019.
Upon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorized access. Our data indicates that account-related information (but not the content of any e-mails) could have been viewed, but Microsoft has no indication why that information was viewed or how it may have been used. As a result, you may receive phishing emails or other spam mails. You should be careful when receiving any e-mails from any misleading domain name, any e-mail that requests personal information or payment, or any unsolicited request from an untrusted source (you can read more about phishing attacks at https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/phishing).
It is important to note that your email login credentials were not directly impacted by this incident. However, out of caution, you should reset your password for your account.
Microsoft has not said how many accounts were affected by the incident, nor has it given any indication of who may have been responsible. In addition to the email sent to customers, Microsoft's only further comment is a statement in which it says: " We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators' access".
OpenAI, the nonprofit research organization founded by Elon Musk, can claim a world first: its artificial intelligence system trained to play the complex strategy game Dota 2 has bested a world champion e-sports team today. The competition was held in San Francisco and dubbed the OpenAI Five Finals, ending the organization’s public demonstrations of its Dota-playing technology on a high note.
The competition on the human side included five top Dota 2 pros from team OG, which won the world’s most coveted e-sports prize last year when it took the top spot at The International, the premiere annual Dota 2 tournament with prizes now totaling $25 million. OG faced off in a best-of-three contest against the OpenAI Five bots, all trained using the same deep reinforcement learning techniques and controlled independently by different layers of the same system. Reinforcement learning is effectively a trial and error approach to self-improvement, wherein the AI is dropped into the game environment with zero understanding of how the game works and trained using reward systems and other incentivizing mechanisms.
Today’s performance is by far the highest-quality demonstration of OpenAI Five’s capabilities to date, with the system having narrowly lost two games to less capable e-sports teams last August. According to Greg Brockman, OpenAI’s chief technology officer, OpenAI Five improves by playing itself in an accelerating virtual environment. “OpenAI Five is powered by deep reinforce learning, which means we didn’t code it how to play. We coded it how to learn,” Brockman told the crowd ahead of the competition. “In its 10 months of existence, it’s already played 45,000 years of Dota 2 gameplay. That’s a lot — it hasn’t grown bored yet.”
Dota 2 is a vastly complex strategy game, involving more than 100 unique characters, deep skill trees and item lists, and a dizzying array of variables playing out onscreen at any given moment in a match. As such, OpenAI imposes certain limits when its AI system plays professional players, most prominently by capping the number of heroes used by both five-player teams.
In this case, each squad had 17 heroes to choose from. OpenAI also chose the so-called “Captain’s Draft” game mode, which lets each team strategically ban heroes to prevent the other team from selecting those characters before using a distinct picking order. That lets the captain build off strengths between hero combinations and leverage enemy hero weaknesses through strong counters once the teams do begin filling out the roster one by one. Like prior matches, OpenAI also disabled summoning and illusion features, both of which involve bringing on additional variables in the form of hero copies and unique creatures that OpenAI hasn’t trained its system to account for.
Beyond that, the game is played just like a normal Dota 2 match, with the ultimate goal of destroying the enemy team’s “ancient,” or a large tower at the end of each team’s territory that becomes vulnerable only when the enemy team successfully destroy smaller towers throughout the course of the match, in between hero-on-hero team fights.
In the first match of the day, OpenAI Five surprised OG and claimed victory through reliance on a number of aggressive tactics, including the peculiar decision to spend earned in-game currency to instantly revive heroes upon death, even early in the game. As noted by Greg Brockman, OpenAI’s chief technology officer, OpenAI is fond of strategies that favor short-term gain, revealing its deficiencies in mastering the type of long-term planning humans are great at and typically rely on to win such strategy contests. However, in this match, the early buy backs paid off and OpenAI Five gained an edge that OG simply could not overcome as the match dragged on into the 30-minute range.
We see this happen in test games all the time: the bots buy back, the humans laugh, and then the humans lose. Hard to know if it’ll happen here too...
In the second match, OpenAI performed even better, gaining an early advantage against OG in the first few minutes and then ruthlessly advancing on the human players until it clinched victory in a little more than half the time it needed to win the first match. Mike Cook, an avid Dota 2 player and viewer who specializes in the blending of AI and game design, noted how unusually aggressive OpenAI Five began playing in the second match, and how little OG was doing to combat its advances across the map. Cook noted specifically how well OpenAI Five was able to take advantage of its specific hero picks.
This is probably over already, sadly. OpenAI have four of the top five heroes ranked by net worth. At ten minutes in, against bots with the execution of OpenAI, this is really bad. #openaifive
This coming Tuesday, the biggest hockey fight in tech history makes its way to a San Diego courtroom. Once again, Apple and Qualcomm get to square off in court, but this time billions and billions of dollars are at stake. According to the Wall Street Journal, there isn't much of a personal relationship between the CEOs of both firms. As a result of the animosity between Apple's Tim Cook and Qualcomm's Steve Mollenkopf, there seems to be no common ground for settlement talks. As one unnamed Apple executive notes, "It’s personal. I don’t see anybody who can bridge this gap."
With that in mind, you have to wonder why Mollenkopf told a CNBC audience last November that Apple and Qualcomm were "on the doorstep" of resolving their issues. Cook doesn't see why Qualcomm should be allowed to take a 5% cut of the sales price of an iPhone. And that brings us to the major issue between the two tech giants, at least in this suit. Apple says that Qualcomm asks too much to license its chips, and Qualcomm says that Apple owes it a ton of cash because it stopped paying royalties to the chip maker.
No one could foresee this acrimony between the two firms growing when Qualcomm was the lone supplier of modem chips for the iPhone from 2011-2015. In 2016 and 2017, Intel and Qualcomm shared this business. By January 2017, Apple filed its first suit against Qualcomm, and by 2018 Intel was the sole supplier of modem chips for Apple's handsets. Since Intel won't have its 5G modem chips ready to ship until later this year at the earliest, a 5G iPhone isn't expected until next year. Apple is reportedly designing its own 5G chip for use as soon as 2021.
Back before the original iPhone launched in 2007, then Apple CEO Steve Jobs had a relationship with Qualcomm's CEO at the time, Paul Jacobs. Originally, Qualcomm sought a royalty amounting to 5% of the retail price of each handset Apple sold. At the time, Cook was the company's chief operating officer and he felt that Apple shouldn't pay the chip maker more than $1.50 per phone. But Jobs thought that Qualcomm should be compensated for its innovations, and worked out a compromise. Apple paid $7.50 in royalties to Qualcomm for each iPhone sold. By 2011, Qualcomm agreed to pay Apple $1 billion as an incentive payment for using its modem chips. Eventually, Apple was to receive this payment every year but would have to pay back Qualcomm if it started using another modem chip supplier. By 2011, Cook had replaced Jobs as CEO and was upset that Apple was paying Qualcomm more in royalties than all of the other iPhone licensees combined.
Five years later, Qualcomm executives were upset at Apple for giving a presentation against the company in a case involving the South Korea Fair Trade Commission. Apple said at the time that it would have to add a second modem chip supplier due to "Qualcomm’s exclusionary conduct." And Qualcomm executives soon discovered that Apple was using Intel's modem chips on the iPhone 7. As a result, the chip maker stopped paying Apple the annual $1 billion incentive payment. Apple retaliated by cutting off royalty payments to Qualcomm and both firms ended up filing numerous lawsuits against each other.
The Apple iPhone 7 was the first to use an Intel modem chip
Qualcomm has a bigger headache than Apple
While hopeful that both sides can kiss and make up, Qualcomm doesn't want to lower its royalty rates to strike a deal with Apple. Under the contracts it has with other phone manufacturers, Qualcomm would then have to reduce the royalties it receives from the other companies.
But Apple might not be the biggest headache that Qualcomm has. Earlier this year, the FTC took on Qualcomm's licensing practices in a non-jury trial heard by Judge Lucy Koh. A decision could be announced at any time. If Judge Koh, famous for presiding over the first Apple v. Samsung case, rules against Qualcomm, the company could be forced to completely overhaul the way it sells chips to phone manufacturers.
You'll want to keep an eye out for suspicious activity if you use Microsoft's webmail services. The company has confirmed to TechCrunch that "cybercriminals" compromised a "limited number" of its web-based email accounts between January 1st and March 28th by using a customer support rep's credentials. The breach didn't expose sign-in details or message contents, but it did offer access to email addresses (including names of addresses in conversations), subject lines and custom folder names.
It's not certain how many people were affected, or where the largest group of victims was. Some of them were likely in the European Union, though, as Microsoft is offering contact info for its data protection officer. Enterprise customers also weren't involved. The tech firm's email offerings include everything from modern Outlook.com accounts through to legacy Hotmail and MSN addresses.
This is unlikely to be as far-reaching as the breach that touched on more than 772 million email addresses, but it's still a substantial violation of privacy. The attackers could theoretically use this not just for spam, but to piece together details of users' personal lives and rely on that for fraud and identity theft.
Microsoft this week admitted that “cybercriminals” have compromised a small number of Outlook.com accounts. But the firm says it has no idea how the accounts were compromised.
“Microsoft recently became aware of an issue involving unauthorized access to some customers’ web-based email accounts by cybercriminals,” a Microsoft statement provided to Techcrunch reads. ”We addressed this scheme by disabling the compromised credentials to the limited set of targeted accounts, while also blocking the perpetrators’ access. A limited number of consumer accounts were impacted, and we have notified all impacted customers. Out of an abundance of caution, we also increased detection and monitoring to further protect affected accounts.”
Here’s what we do know.
The accounts were compromised during January, February, and March 2019.
To access the customer accounts, the cybercriminals first compromised Microsoft support representative accounts. Microsoft doesn’t know how this happened, but it has since disabled those accounts.
“You should be careful when receiving any e-mails from any misleading domain name, any e-mail that requests personal information or payment, or any unsolicited request from an untrusted source,” a Microsoft email to the compromised customers reads. The problem being, of course, that Microsoft support representatives should generally be trusted.
The compromises only include consumer Outlook.com accounts, not commercial (business) accounts of any kind.
Though email login credentials were not directly impacted by this incident, Microsoft is recommending that all impacted customers reset their email passwords as a precaution.
Over the past three weeks, a trio of critical zeroday vulnerabilities in WordPress plugins has exposed 160,000 websites to attacks that allow criminal hackers to redirect unwitting visitors to malicious destinations. A self-proclaimed security provider who publicly disclosed the flaws before patches were available played a key role in the debacle, although delays by plugin developers and site administrators in publishing and installing patches have also contributed.
Over the past week, zeroday vulnerabilities in both the Yuzo Related Posts and Yellow Pencil Visual Theme Customizer WordPress plugins, used by 60,000 and 30,000 websites respectively, have come under attack. Both plugins were removed from the WordPress plugin repository around the time the zeroday posts were published, leaving websites little choice than to remove the plugins. On Friday, Yellow Pencil issued a patch, three days after the vulnerability was disclosed. At the time this post was being reported Yuzo Related Posts remained closed with no patch available.
In-the-wild exploits against Social Warfare, a plugin used by 70,000 sites, started three weeks ago. Developers for that plugin quickly patched the flaw, but not before sites that used it were hacked.
Scams and online graft
All three waves of exploits caused sites that used the vulnerable plugins to surreptitiously redirect visitors to sites pushing tech-support scams and other forms of online graft. In all three cases, the exploits came after a site called Plugin Vulnerabilities published detailed disclosures on the underlying vulnerabilities. The posts included enough proof-of-concept exploit code and other technical details to make it trivial to hack vulnerable sites. Indeed, some of the code used in the attacks appeared to have been copied and pasted from the Plugin Vulnerabilities posts.
Within hours of Plugin Vulnerabilities publishing the Yellow Pencil Visual Theme and social Warfare disclosures, the zeroday vulnerabilities were actively exploited. It took 11 days after Plugin Vulnerabilities dropped the Yuzo Related Posts zeroday for in-the-wild exploits to be reported. There were no reports of exploits of any of the vulnerabilities prior to the disclosures.
All three of Plugin Vulnerabilities’ zeroday posts came with boilerplate language that said the unnamed author was publishing them to protest “the moderators of the WordPress Support Forum’s continued inappropriate behavior.” The author told Ars that s/he only tried to notify developers after the zerodays were already published.
"Our current disclosure policy is to full disclose vulnerabilities, and then to try to notify the developer through the WordPress Support Forum, though the moderators there look to often just delete those messages and not inform anyone about that," the author wrote in an email.
According to a blog post Social Warfare developer Warfare Plugins published Thursday, here’s the timeline for March 21, when Plugin Vulnerabilities dropped the zeroday for that plugin:
02:30 PM (approx.) – An unnamed individual published the exploit for hackers to take advantage of. We don’t know the exact time of the release because the individual has hidden the publishing time. Attacks on unsuspecting websites begin almost immediately.
02:59 PM – WordPress discovers the publication of the vulnerability, removes Social Warfare from the WordPress.org repository, and emails our team about the issue.
03:07 PM – In a responsible, respectable way, WordFence publishes their discovery of the publication and vulnerability, giving no details about how to take advantage of the exploit.
03:43 PM – Every member of the Warfare Plugins team is brought up to speed, given tactical instructions, and begins taking action on the situation in each respective area: development, communications, and customer support.
04:21 PM – A notice saying that we are aware of exploit, along with instructions to disable the plugin until patched, was posted to Twitter as well as to our website.
05:37 PM – Warfare Plugins development team makes final code commits to patch the vulnerability and undo any malicious script injection that was causing sites to be redirected. Internal testing begins.
05:58 PM – After rigorous internal testing, and sending a patched version to WordPress for review, the new version of Social Warfare (3.5.3) is released.
06:04 PM – Email to all Social Warfare – Pro customers is sent with details of the vulnerability, and instructions on how to update immediately.
No remorse
The author said s/he scoured both Yuzo Related Posts and Yellow Pencil for security after noticing they had been removed without explanation from the WordPress plugin repository and becoming suspicious. “So while our posts could have led to exploitation, it also [sic] possible that a parallel process is happening,” the author wrote.
The author also pointed out that 11 days passed between the disclosure of the Yuzo Related Posts zeroday and the first known reports it was being exploited. Those exploits wouldn’t have been possible had the developer patched the vulnerability during that interval, the author said.
Asked if there was any remorse for the innocent end users and website owners who were harmed by the exploits, the author said: “We have no direct knowledge of what any hackers are doing, but it seems likely that our disclosures could have led to exploitation attempts. These full disclosures would have long ago stopped if the moderation of the Support Forum was simply cleaned up, so any damage caused by these could have been avoided, if they would have simply agreed to clean that up.”
The author declined to provide a name or identify Plugin Vulnerabilities other than to say it was a service provider that finds vulnerabilities in WordPress plugins. “We are trying to keep ahead of hackers, since our customers pay us to warn them about vulnerabilities in the plugins they use and it obviously is better to be warning them before they could have been exploited instead of after.”
The crux of the author’s beef with WordPress support forum moderators, according to threads such as this one, is that they remove his his posts and delete his accounts when he discloses unfixed vulnerabilities in public forums. A recent post on Medium said he was “banned for life,” but had vowed to continue the practice indefinitely using made-up accounts. Posts such as this one show Plugin Vulnerabilities' public outrage over WordPress support forums has been brewing since at least 2016.
To be sure, there’s plenty of blame to spread around recent exploits. Volunteer-submitted WordPress plugins have long represented the biggest security risk for sites running WordPress, and so far developers of the open-source CMS haven’t figured out a way to sufficiently improve the quality. What's more, it often takes far too long for plugin developers to fix critical vulnerabilities and for site administrators to install them. Warfare Plugins’ blog post offers one of the best apologies ever for its role in not discovering the critical flaw before it was exploited.
But the bulk of the blame by far goes to a self-described security provider who readily admits to dropping zerodays as a form of protest or, alternatively, as a way to keep customers safe (as if exploit code was necessary to do that). With no apologies and no remorse from the discloser—not to mention a dizzying number of buggy, poorly-audited plugins in the WordPress repository—it wouldn’t be surprising to see more zeroday disclosures in the coming days.
