How to Know If Your Microsoft Account Has Been Hacked: Check Here to See If You've Been Compromised

Microsoft revealed on Wednesday that one of its internal customer support databases had been compromised, following an investigation by the corporation's security group.

According to its security response website, the technology giant said it didn't believe that the data breach had exposed personally identifiable information. "We want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable.

Microsoft confirmed as part of its statement that it has begun sending notifications to customers whose data was present in this redacted database.

This incident, however, along with other data breaches announced by large organizations, shows how easy it is for data to become compromised whether because of human error or cyberattacks. Also on Wednesday (January 22), the Cybersecurity and Infrastructure Security Agency (CISA) put out a warning to businesses and consumers alike about an increase in targeted malware attacks—specifically Emotet, a sophisticated Trojan—infiltrating email chains using virus-riddled attachments to proliferate within a network by using "user credentials and writing to shared drives."

Microsoft logo
A logo sits illuminated outside the Microsoft booth on day 2 of the GSMA Mobile World Congress 2019 on February 26, 2019, in Barcelona, Spain. Microsoft has revealed it has been the victim of a data breach but that it doesn't believe any personal information has been compromised. David Ramos/Getty Images

"Emotet malware is typically distributed via malicious emails that have inline links or attached macro documents," Kimberly Goody, senior manager, cybercrime analysis at FireEye, told Newsweek. "While Emotet does use more generic lures like invoice and payment themes, its ability to hijack existing email threads is more problematic.

"By leveraging existing communications and using those essentially as their email template, they create a stronger sense of authenticity to the recipients." Goody goes further with her explanation, saying that because of this, everyone is a potential target with the use of "automated personalization" making it harder to spot by unsuspecting victims.

Credit cards data lost information
Stock image: Financial institutions such as HSBC have been victims of data breaches. iStock

But why should Americans be worried about this? Victor Acin, a threat intelligence analyst from Blueliv explained to Newsweek: "The black market for stolen credentials is huge—they are sold for good money in hidden areas of the Internet." He goes onto say that for cybercriminals, a valid login and password combination is basically a key that opens doors to a myriad of illegal activitie, from "blackmail to fraud," usually with the end goal of making a financial profit.

"The vast majority of hacking-related security breaches use either stolen or weak passwords and there's very little a user can do if a criminal has the right password," Acin continues. "Cybercriminals have several techniques to steal user credentials such as phishing, installing malware or creating fake websites."

How do you find out whether your account has been hacked?

According to the Identity Theft Resource Center, 1.6 billion records have been leaked since 2005—that is nearly five times the size of the U.S. population.

What this means is there's a good chance that a person's details have been leaked at some point in time. Thankfully, there are several ways a consumer can find out whether their details have been compromised and how they can do something about it.

While companies usually inform their customers when there has been a data breach, it is worth being proactive. HIBP has been logging data breaches since its inception in 2013. Run by Troy Hunt, a blogger at troyhunt.com and international speaker on web security, the website helps people identify whether their credentials—email address mainly— have been compromised by aggregating information on breaches as they happen or are revealed.

When people put their email address into the search function on the home page, they are shown whether the domain has suffered a breach and whether the personal information has been "pasted." This refers to information put on a publicly facing website designed to share content such as Pastebin. According to HIBP, these services are favored by hackers due to the ease of anonymity.

For breaches involving financial information—such as the Wawa data breach or medical information such as the data breach of U.S. marijuana dispensaries—more often than not businesses that have been compromised will offer their customers compensation or free access to credit companies such as Experian.

Concerned Caller
Stock image: Customers whose details have been compromised can call the appropriate organizations and be proactive in securing their accounts. iStock

If at any time someone suspects they have been the victim of fraud or have had their data compromised, they can report it to the following organizations, according to the official U.S. government website:

If you have been impacted by a data breach, Acin advises the following: "Users need to be extra vigilant by using a different password for each account, changing passwords often and making them as complex as possible—a combination of letters, numbers and symbols all help."

Correction 1/28/2020, 11:53 a.m. ET: This article was updated to remove incorrect information provided by software company Specops and its PR company Journalistic which suggested that numerous customer data breaches had occurred at companies including Deliveroo, Elvie, IBM, Apple and HSBC.