When I worked for MSN/Hotmail around 2000-2003, there were dozens of helpdesk folks who had access to an admin panel to easily view any email and could view/edit PII for anyone with very little (if not zero) accounting or auditing. It was protected by plaintext auth and open to the internet.
One employee told me that he caught his wife cheating by reading her mail.
Another used it to recover their own stolen EQ account worth thousands.
I personally used this access to help a friend recover a hacked/stolen Hotmail account. I told them the email address, what had happened to it, and they forwarded me a screenshot of their Passport.NET PII details for them to use the self-service password reset.
Obviously not much has changed.
My line of thinking is to assume auditing and access controls are lax unless the data in question is part of the company's secret sauce, or is regulated by the government.
What's an EQ account?
Even when it comes to third party audit, those are ring binder driven processes. Does the audit report get generated? Yes, check. Does the person it goes to have a requirement to check it? Yes, check. Done, pass. Auditors _might_ ask to see an example report, but they definitely aren't going to add bogus entries to see what happens for example.
Spot checks aren't a thing in almost any industry. "Chaos Monkey" style checks aren't a thing anywhere at all. So it's easily possible that for six months (or three months) Microsoft was generating internal reports that said "Bob the Helpdesk worker has accessed ten times more user emails today than anybody else" and nobody was asking "Wait, why is Bob an outlier?".
With a targeted attack like this one, your suggestion about requiring a ticket doesn't help very much, the attacker is motivated to jump through hoops unlike script kiddies looking for low-hanging fruit. Insider fraud at banks has been known to go as far as a fake "customer" phoning up to authorize the steps that the bad guys want to take, so that there's an authorization on record when they do them and it won't immediately be flagged as a problem. The real customer may later convince a court that it wasn't them, but that's not real time, the insiders are long gone and so is the money.
Now, you can build systems where it's just impossible for even your own people to get access. But that has a high cost, as you will see in every thread where people castigate Google because they got locked out of something. Why can't Google just hire helpdesk people who have super-user access, they ask...
If this was a specially privileged superuser account, it should have had more attention paid to it. Yes, it's hard to scale audits or monitoring to the entire customer support org. But if you only have three people that can actually read people's emails, you can certainly audit just their use.
If it's not a specially privileged superuser, then every random helpdesk account can read everything from everyone. This does not inspire confidence.
And even skipping all the complex systems that should have been in place for a system the size of Hotmail: Why did this account not have 2FA? This is basic stuff.
It's consumer Hotmail. From Microsoft’s perspective, that is probably excuse enough.
Of course, I've seen pretty bad things in large HIPAA covered entities with systems with PHI; insufficient security and accountability of support accounts and recovery processes is found lots of places.
Auditing isn't a system feature, it's a business process feature. A system can have logging and even detection of situations requiring auditing, but if no one is systematically reviewing—auditing—the results, it doesn't have auditing.
I do like that they have customer service though.
I don't see how allowing helpdesk operators to help users recover access to their accounts has any relation at all to the helpdesk operators having access to the account itself. They need to be able to access and update account metadata, not the account itself.
So in your system the bad guy can't read my email because he only has the ability to access and update account metadata such as my password and the helpdesk system doesn't give him access to the actual email?
That would work, unless any of the bad guys is smarter than you and realises that they can use this metadata to... log into my account and read my email.
No need to be so rude and disrespectful.
Obviously there needs to be a password reset mechanism. That mechanism can absolutely be designed in a way that does not involve the helpdesk operator having access to the password or the account.
There are a great many failures of process here.
It's a little depressing to go to work and try to deal with the atrocious stuff I have to deal with, and then think how much of my life is online at companies probably just as bad as my own.
> There is also a user “email@example.com” that has permission “auth.impersonation.impersonateNormalUser”
So it exists, but hopefully Google doesn't have the same issues with giving helpdesk employees access to impersonation.
By "this" you mean "Someone had access to that particular help desk account", not the whole system ?
If you are talking about secure e-mail cryptography philosophy along the lines of PGP, ProtonMail, et cetera, sure you can achieve that through those means. Otherwise it's a pipe dream with a product like Outlook that's built for businesses and having AD style control.
The problem is that an attacker can follow the "legitimate" path - and such attacks should be audited and detected, which is what obviously failed here.
Makes you wonder how vulnerable less mature services are...
(naturally finding a politician or celebrity once in a while)
For example, they can get access to basic information and option to reset password, if user forgets the password. For anything else, they should get explicit permission (or it can be granted automatically when user opens a support ticket when he/she is logged in, if that's properly specified when creating a ticket).
Protonmail stores all your emails encrypted, with the encryption dependent on your password, so something like this couldn't happen there.
Are emails automatically encrypted with a hash of the user password when they are received?
If the user forgets the password, how do password resets work?
Are the emails before the password reset "lost", or does ProtonMail keep a copy of the hashed password (which I suppose would be needed to log in with in the first place) to unencrypt the older emails, and re-encrypt with the newer password?
It certainly is something that users should probably be aware of. At least I would...