Microsoft has notified customers that the Russian criminals who compromised its systems earlier this year stole even more emails than it first admitted.
Russian hackers who broke into Microsoft’s systems and spied on staff inboxes earlier this year in January also stole emails from its customers, the Redmond-based company admitted last Thursday, around six months after it first disclosed the cyberattack.
Microsoft previously informed some individuals that their emails were viewed, but the company is now providing more specific details about the impacted accounts, Bloomberg reports.
“We are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor, and we are providing the customers the email correspondence that was accessed by this actor,” a Microsoft spokesperson told Bloomberg (the article is paywalled).
“This is increased detail for customers who have already been notified and also includes new notifications.”
Subscribe to our newsletter for the latest updates on Esports, Gaming and more.
Microsoft is also sharing the compromised emails with its customers. However, the company has not yet disclosed the total number of impacted individuals or the volume of stolen emails.
The tech giant said in January that a Russia-based threat actor, Midnight Blizzard, had accessed “a very small percentage” of the company’s corporate email accounts. Employees with compromised emails included members of the senior leadership, cybersecurity, and legal teams.
Later in March, the company said those hackers were still trying to break in, but it maintained that there’s “no evidence” so far that the cyberattack compromised any customer-facing systems.
Microsoft also fell victim to Chinese state-sponsored hackers last year. That breach resulted in the theft of emails and other sensitive data from senior government officials. The incident sparked controversy, leading Microsoft President Brad Smith to testify before Congress in June 2024 to address the company’s security practices.