America’s top cybersecurity and law enforcement officials made a coordinated push Tuesday to raise awareness about cyber threats from foreign actors in the wake of an intrusion of U.S. telecom equipment dubbed Salt Typhoon. The hackers are linked to the Chinese government and they still have a presence in U.S. systems, spying on American communications, in what Sen. Mark Warner from Virginia has called “the worst hack in our nation’s history.”

Officials with the U.S. Cybersecurity and Infrastructure Security Agency and FBI went so far as to urge Americans to use encrypted messaging apps, according to a new report from NBC News, something that’s ostensibly about keeping foreign hackers out of your communications.

[…]

“Our suggestion, what we have told folks internally, is not new here: encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible,” Jeff Greene, executive assistant director for cybersecurity at CISA, said on a press call Tuesday according to NBC News.

The unnamed FBI agent on the call with reporters echoed the message, according to NBC News, urging Americans to use “responsibly managed encryption,” which is a rather big deal when you remember that agencies like the FBI have been most resistant to Silicon Valley’s encryption efforts.

The hackers behind Salt Typoon failed to monitor or intercept anything encrypted, meaning that anything sent through Signal and Apple’s iMessage was likely protected, according to the New York Times. But the intrusion for all other communications was otherwise extremely galling. The hackers had access to metadata, including information on messages and phone calls along with when and where they were delivered. The hackers reportedly focused on targets around Washington, D.C.

The most alarming sort of intrusion in Salt Typhoon involved the system used by U.S. officials to wiretap Americans with a court order

[…]

Source: FBI Warns Americans to Start Using Encrypted Messaging Apps

It’s not like people have not been warning governments all over the world that there is no such thing as a safe backdoor to encryption and that forbidding encryption leads to a world of harm. We knew this, but still the idiots in charge wanted keys to encryption. The key, once it is in the hands of “baddies” will still work. It really does show the absolute retardation of government spy people who say breaking encryption will make us safer.

More than 600,000 sensitive files containing thousands of people’s criminal histories, background checks, vehicle and property records were exposed to the internet in a non-password protected database belonging to data brokerage SL Data Services, according to a security researcher.

We don’t know how long the personal information was openly accessible. Infosec specialist Jeremiah Fowler says he found the Amazon S3 bucket in October and reported it to the data collection company by phone and email every few days for more than two weeks.

In addition to not being password protected, none of the information was encrypted, he told The Register. In total, the open bucket contained 644,869 PDF files in a 713.1 GB archive.

“Even when I would make phone calls to the multiple numbers on different websites and tell them there was a data incident, they would tell me they use 128-bit encryption and use SSL certificates – there were many eye rolls,” he claimed.

Some 95 percent of the documents Fowler saw were labeled “background checks,” he said. These contained full names, home addresses, phone numbers, email addresses, employment, family members, social media accounts, and criminal record history belonging to thousands of people. In at least one of these documents, the criminal record indicated that the person had been convicted of sexual misconduct. It included case details, fines, dates, and additional charges.

[…]

Source: Data broker leaves 600K+ sensitive files exposed online • The Register

Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about a non-password-protected database that contained more than 1.1 million records belonging to Conduitor Limited (trading as Forces Penpals) — a service that offers dating services, and social networking for military members and their supporters.

The publicly exposed database was not password-protected or encrypted. It contained a total of 1,187,296 documents. In a limited sampling, a majority of the documents I saw were user images, while others were photos of potentially sensitive proof of service documents. These contained full names (first, last, and middle), mailing addresses, SSN (US), National Insurance Numbers, and Service Numbers (UK). These documents also listed rank, branch of the service, dates, locations, and other information that should not be publicly accessible.

Upon further research, I identified that the records belonged to Forces Penpals, a dating service and social networking community for military service members and their supporters. I immediately sent a responsible disclosure notice, and public access was restricted the following day. It is not known how long the database was exposed or if anyone else gained access to it. Only an internal forensic audit could identify additional access or potentially suspicious activity. I received a response from Forces Penpals after my disclosure notice stating: “Thank you for contacting us. It is much appreciated. Looks like there was a coding error where the documents were going to the wrong bucket and directory listing was turned on for debugging and never turned off. The photos are public anyway so that’s not an issue, but the documents certainly should not be public”. It is not known if the database was owned and managed by Forces Penpals directly or via a third-party contractor.

According to their website, the service operates social networking and support for members of the US and UK armed forces. It claims to have over 290,000 military and civilian users. Founded in 2002, Forces Penpals allowed UK citizens to write to soldiers on active duty in Iraq or Afghanistan.

[…]

Source: US and UK Armed Forces Dating & Social Networking Service Exposed Over 1 Million Records Online

There are two major reasons that the U.S. doesn’t pass an internet-era privacy law or regulate data brokers despite a parade of dangerous scandals. One, lobbied by a vast web of interconnected industries with unlimited budgets, Congress is too corrupt to do its job. Two, the U.S. government is disincentivized to do anything because it exploits this privacy dysfunction to dodge domestic surveillance warrants.

If we imposed safeguards on consumer data, everybody from app makers to telecoms would make billions less per quarter. So our corrupt lawmakers pretend the vast human harms of our greed are a distant and unavoidable externality. Unless the privacy issues involve some kid tracking rich people on their planes, of course, in which case Congress moves with a haste that would break the sound barrier.

So as a result, we get a steady stream of scandals related to the over-collection and monetization of wireless location data, posing no limit of public safety, market trust, or national security issues. Including, for example, stalkers using location data to track and harm women. Or radical right wing extremists using it to target vulnerable abortion clinic visitors with health care disinformation.

Even when U.S. troop safety is involved U.S. officials have proven too corrupt and incompetent to act. Just the latest case in point: Wired this week released an excellent new report documenting how it was relatively trivial to buy the sensitive and detailed movement data of U.S. military and intelligence workers as they moved around Germany:

“A collaborative analysis of billions of location coordinates obtained from a US-based data broker provides extraordinary insight into the daily routines of US service members. The findings also provide a vivid example of the significant risks the unregulated sale of mobile location data poses to the integrity of the US military and the safety of its service members and their families overseas.”

The data purchased by Wired doesn’t just track troops as they head out for a weekend at the bars. It provides granular, second-by-second detail of their movements around extremely sensitive facilities:

“We tracked hundreds of thousands of signals from devices inside sensitive US installations in Germany. That includes scores of devices within suspected NSA monitoring or signals-analysis facilities, more than a thousand devices at a sprawling US compound where Ukrainian troops were being being trained in 2023, and nearly 2,000 others at an air force base that has crucially supported American drone operations.”

Wired does note that the FTC is poised to file several lawsuits recognizing these kinds of facilities as protected sites, though it’s unclear those suits will survive Lina Khan’s inevitable ouster under a Trump administration looking to dismantle the federal regulatory state for shits and giggles.

When our underfunded and undermined regulators have tried to hold wireless companies or app makers accountable, they’re routinely derailed by either a Republican Congress (like when the GOP in 2017 killed FCC broadband privacy rules before they could even take effect), or more recently by a Trump Supreme Court keen to declare all federal consumer protection effectively illegal.

Even the most basic of FCC efforts to impose a long overdue fine against AT&T, Verizon, and T-Mobile have run aground thanks to the Trump-stocked 5th, 6th, and Supreme Court efforts to block anything even vaguely resembling corporate oversight. I’m told by the nation’s deepest thinkers that this corruption and greed is, somehow, “populism.”

Time and time and time again the U.S. has prioritized making money over protecting consumer privacy, market health, or national security. And it’s certain to only get worse during a second Trump term stocked with folks like new FCC boss Brendan Carr, dedicated to ensuring his friends at AT&T, Verizon, and T-Mobile never face anything close to accountability for anything, ever.

[…]

Source: Oh Look, It Was Trivial To Buy Troop And Intelligence Officer Location Data From Dodgy, Unregulated Data Brokers | Techdirt

S

Synology, a Taiwanese network-attached storage (NAS) appliance maker, patched two critical zero-days exploited during last week’s Pwn2Own hacking competition within days.

Midnight Blue security researcher Rick de Jager found the critical zero-click vulnerabilities (tracked together as CVE-2024-10443 and dubbed RISK:STATION) in the company’s Synology Photos and BeePhotos for BeeStation software.

As Synology explains in security advisories published two days after the flaws were demoed at Pwn2Own Ireland 2024 to hijack a Synology BeeStation BST150-4T device, the security flaws enable remote attackers to gain remote code execution as root on vulnerable NAS appliances exposed online.

“The vulnerability was initially discovered, within just a few hours, as a replacement for another Pwn2Own submission. The issue was disclosed to Synology immediately after demonstration, and within 48 hours a patch was made available which resolves the vulnerability,” Midnight Blue said.

“However, since the vulnerability has a high potential for criminal abuse, and millions of devices are affected, a media reach-out was made to inform system owners of the issue and to stress the point that immediate mitigative actions are required.”

Synology says it addressed the vulnerabilities in the following software releases; however, they’re not automatically applied on vulnerable systems, and customers are advised to update as soon as possible to block potential incoming attacks:

• BeePhotos for BeeStation OS 1.1: Upgrade to 1.1.0-10053 or above
• BeePhotos for BeeStation OS 1.0: Upgrade to 1.0.2-10026 or above
• Synology Photos 1.7 for DSM 7.2: Upgrade to 1.7.0-0795 or above.
• Synology Photos 1.6 for DSM 7.2: Upgrade to 1.6.2-0720 or above.

QNAP, another Taiwanese NAS device manufacturer, patched two more critical zero-days exploited during the hacking contest within a week (in the company’s SMB Service and Hybrid Backup Sync disaster recovery and data backup solution).

[…]

Source: Synology hurries out patches for zero-days exploited at Pwn2Own

Usually the POC is given to the company around 30 days before disclosure. That is what makes it ‘responsible disclosure’.

Some of the world’s most prominent leaders’ movements were tracked online through a fitness app used by their bodyguards, an investigation has suggested

A report by French newspaper Le Monde said several US Secret Service agents use the Strava fitness app, which has revealed highly confidential movements of US president Joe Biden, presidential rivals Donald Trump and Kamala Harris and other world leaders.

The investigation also identified Strava users among the security personnel for French president Emmanuel Macron and Russian president Vladimir Putin. Strava is a popular app among runners and cyclists, that enables users to log and share their physical activities within a community.

[…]

In another example, Le Monde used an agent’s Strava profile to reveal the location of a hotel where Biden stayed in San Francisco for high-stakes talks with Chinese president Xi Jinping in 2023. A few hours before Biden’s arrival, the agent went jogging from the hotel and used Strava to trace his route.

In a statement to the newspaper, the Secret Service said its staff aren’t allowed to use personal electronic devices while on duty during protective assignments but “we do not prohibit an employee’s personal use of social media off-duty.”

[…]

Source: How Strava ‘gave away locations’ of world leaders including Trump, Putin and Macron | The Independent

In 2018 this was shown to be a problem, you would have thought they would have fixed it by now:

Fitness app Polar even better at revealing secrets than Strava and Garmin

Heat Map Released by Fitness Tracker Reveals Location of Secret Military Bases

A nasty bug in Samsung’s mobile chips is being exploited by miscreants as part of an exploit chain to escalate privileges and then remotely execute arbitrary code, according to Google security researchers.

The use-after-free vulnerability is tracked as CVE-2024-44068, and it affects Samsung Exynos mobile processors versions 9820, 9825, 980, 990, 850, and W920. It received an 8.1 out of 10 CVSS severity rating, and Samsung, in its very brief security advisory, describes it as a high-severity flaw. The vendor patched the hole on October 7.

While the advisory doesn’t make any mention of attackers abusing the vulnerability, according to Googlers Xingyu Jin and Clement Lecigene, someone(s) has already chained the flaw with other CVEs (those aren’t listed) as part of an attack to execute code on people’s phones.

The bug exists in the memory management and how the device driver sets up the page mapping, according to Lecigene, a member of Google’s Threat Analysis Group, and Jin, a Google Devices and Services Security researcher who is credited with spotting the flaw and reporting it to Samsung.

“This 0-day exploit is part of an EoP chain,” the duo said. “The actor is able to execute arbitrary code in a privileged cameraserver process. The exploit also renamed the process name itself to ‘vendor.samsung.hardware.camera.provider@3.0-service,’ probably for anti-forensic purposes.”

The Register reached out to Samsung for more information about the flaw and in-the-wild exploits, but did not immediately receive a response. We will update this story when we hear back.

It’s worth noting that Google TAG keeps a close eye on spyware and nation-state gangs abusing zero-days for espionage purposes.

Considering that both of these threats frequently attack mobile devices to keep tabs on specific targets — Google tracked [PDF] 61 zero-days in the wild that specifically targeted end-user platforms and products in 2023 – we wouldn’t be too surprised to hear that the exploit chain including CVE-2024-44068 ultimately deploys some snooping malware on people’s phones. ®

Source: Samsung phone users exposed to EoP attacks, Google warns • The Register

It was revealed this weekend that Chinese hackers managed to access systems run by three of the largest internet service providers (ISPs) in the US.

What’s notable about the attack is that it compromised security backdoors deliberately created to allow for wiretaps by US law enforcement …

[…]

Apple famously refused the FBI’s request to create a backdoor into iPhones to help access devices used by shooters in San Bernardino and Pensacola. The FBI was subsequently successful in accessing all the iPhones concerned without the assistance it sought.

[…]

You cannot have an encryption system which is only a little bit insecure any more than you can be a little bit pregnant. Encryption systems are either secure or they’re not – and if they’re not then it’s a question of when, rather than if, others are able to exploit the vulnerability.

This latest case perfectly illustrates the point. The law required ISPs to create backdoors that could be used for wiretaps by US law enforcement, and hackers have now found and accessed them.

[…]

Source: Chinese hack shows why Apple is right about security backdoors

And of course the arguments against backdoors predate this statement by decades. The hangup on Apple in the article is because it’s an Apple fanboy outlet.

In this week’s Patch Tuesday Microsoft alerted users to, among other vulnerabilities, a flaw in Windows Installer that can be exploited by malware or a rogue user to gain SYSTEM-level privileges to hijack a PC.

The vulnerability, CVE-2024-38014, was spotted and privately disclosed by security shop SEC Consult, which has now shared the full details of how this attack works. The researcher has released an open source tool to scan a system for Installer files that can be abused to elevate local privileges.

Microsoft said the bug is already exploited, which may mean it acknowledges that SEC Consult’s exploit for the flaw works, or that bad people are abusing this in the wild, or both

[…]

SECC researcher Michael Baer found the exploitable weakness in January. Fixing it turned out to be a complex task and Microsoft asked for more time to address it with a patch, which it implemented this week. The original plan was to close the hole in May, but that slipped to this September for technical reasons. Now Baer has written a blog post explaining exactly how the attack works.

Essentially, a low privileged user opens an Installer package to repair some already-installed code on a vulnerable Windows system. The user does this by running an .msi file for a program, launching the Installer to handle it, and then selecting the option to repair the program (eg, like this). There is a brief opportunity to hijack that repair process, which runs with full SYSTEM rights, and gain those privileges, giving much more control over the PC.

When the repair process begins, a black command-line window opens up briefly to run a Windows program called certutil.exe. Quickly right clicking on the window’s top bar and selecting “Properties” will stop the program from disappearing and open a dialog box in which the user can click on a web link labeled “legacy console mode.” The OS will then prompt the user to open a browser to handle that link. Select Firefox, ideally, to handle that request.

Then in the browser, press Control-O to open a file, type cmd.exe in the top address bar of the dialog box, hit Enter, and bam – you’ve got a command prompt as SYSTEM. That’s because the Installer spawned the browser with those rights from that link.

[…]

Source: More details on that Windows Installer ‘make me admin’ hole • The Register

Security flaws in your computer’s firmware, the deep-seated code that loads first when you turn the machine on and controls even how its operating system boots up, have long been a target for hackers looking for a stealthy foothold. But only rarely does that kind of vulnerability appear not in the firmware of any particular computer maker, but in the chips found across hundreds of millions of PCs and servers. Now security researchers have found one such flaw that has persisted in AMD processors for decades, and that would allow malware to burrow deep enough into a computer’s memory that, in many cases, it may be easier to discard a machine than to disinfect it.

At the Defcon hacker conference tomorrow, Enrique Nissim and Krzysztof Okupski, researchers from the security firm IOActive, plan to present a vulnerability in AMD chips they’re calling Sinkclose. The flaw would allow hackers to run their own code in one of the most privileged modes of an AMD processor, known as System Management Mode

[…]

an attacker could infect the computer with malware known as a “bootkit” that evades antivirus tools and is potentially invisible to the operating system, while offering a hacker full access to tamper with the machine and surveil its activity. For systems with certain faulty configurations in how a computer maker implemented AMD’s security feature known as Platform Secure Boot—which the researchers warn encompasses the large majority of the systems they tested—a malware infection installed via Sinkclose could be harder yet to detect or remediate, they say, surviving even a reinstallation of the operating system.

[…]

Only opening a computer’s case, physically connecting directly to a certain portion of its memory chips with a hardware-based programming tool known as SPI Flash programmer and meticulously scouring the memory would allow the malware to be removed, Okupski says.

Nissim sums up that worst-case scenario in more practical terms: “You basically have to throw your computer away.”

In a statement shared with WIRED, AMD acknowledged IOActive’s findings, thanked the researchers for their work, and noted that it has “released mitigation options for its AMD EPYC datacenter products and AMD Ryzen PC products, with mitigations for AMD embedded products coming soon.” (The term “embedded,” in this case, refers to AMD chips found in systems such as industrial devices and cars.) For its EPYC processors designed for use in data-center servers, specifically, the company noted that it released patches earlier this year. AMD declined to answer questions in advance about how it intends to fix the Sinkclose vulnerability, or for exactly which devices and when, but it pointed to a full list of affected products that can be found on its website’s security bulletin page.

[…]

Nissim and Okupski respond that while exploiting Sinkclose requires kernel-level access to a machine, such vulnerabilities are exposed in Windows and Linux practically every month

[…]

Nissim and Okupski’s Sinkclose technique works by exploiting an obscure feature of AMD chips known as TClose. (The Sinkclose name, in fact, comes from combining that TClose term with Sinkhole, the name of an earlier System Management Mode exploit found in Intel chips in 2015.) In AMD-based machines, a safeguard known as TSeg prevents the computer’s operating systems from writing to a protected part of memory meant to be reserved for System Management Mode known as System Management Random Access Memory or SMRAM. AMD’s TClose feature, however, is designed to allow computers to remain compatible with older devices that use the same memory addresses as SMRAM, remapping other memory to those SMRAM addresses when it’s enabled. Nissim and Okupski found that, with only the operating system’s level of privileges, they could use that TClose remapping feature to trick the SMM code into fetching data they’ve tampered with, in a way that allows them to redirect the processor and cause it to execute their own code at the same highly privileged SMM level.

[…]

Nissim and Okupski say they agreed with AMD not to publish any proof-of-concept code for their Sinkclose exploit for several months to come, in order to provide more time for the problem to be fixed.

[…]

Source: ‘Sinkclose’ Flaw in Hundreds of Millions of AMD Chips Allows Deep, Virtually Unfixable Infections | WIRED

More than 384,000 websites are linking to a site that was caught last week performing a supply-chain attack that redirected visitors to malicious sites, researchers said.

For years, the JavaScript code, hosted at polyfill[.]com, was a legitimate open source project that allowed older browsers to handle advanced functions that weren’t natively supported. By linking to cdn.polyfill[.]io, websites could ensure that devices using legacy browsers could render content in newer formats. The free service was popular among websites because all they had to do was embed the link in their sites. The code hosted on the polyfill site did the rest.

The power of supply-chain attacks

In February, China-based company Funnull acquired the domain and the GitHub account that hosted the JavaScript code. On June 25, researchers from security firm Sansec reported that code hosted on the polyfill domain had been changed to redirect users to adult- and gambling-themed websites. The code was deliberately designed to mask the redirections by performing them only at certain times of the day and only against visitors who met specific criteria.

The revelation prompted industry-wide calls to take action. Two days after the Sansec report was published, domain registrar Namecheap suspended the domain, a move that effectively prevented the malicious code from running on visitor devices. Even then, content delivery networks such as Cloudflare began automatically replacing pollyfill links with domains leading to safe mirror sites. Google blocked ads for sites embedding the Polyfill[.]io domain. The website blocker uBlock Origin added the domain to its filter list. And Andrew Betts, the original creator of Polyfill.io, urged website owners to remove links to the library immediately.

As of Tuesday, exactly one week after malicious behavior came to light, 384,773 sites continued to link to the site, according to researchers from security firm Censys. Some of the sites were associated with mainstream companies including Hulu, Mercedes-Benz, and Warner Bros. and the federal government. The findings underscore the power of supply-chain attacks, which can spread malware to thousands or millions of people simply by infecting a common source they all rely on.

[…]

Source: 384,000 sites pull code from sketchy code library recently bought by Chinese firm | Ars Technica

CocoaPods vulnerabilities reported today could allow malicious actors to take over thousands of unclaimed pods and insert malicious code into many of the most popular iOS and MacOS applications, potentially affecting “almost every Apple device.”

E.V.A Information Security researchers found that the three vulnerabilities in the open source CocoaPods dependency manager were present in applications provided by Meta (Facebook, Whatsapp), Apple (Safari, AppleTV, Xcode), and Microsoft (Teams); as well as in TikTok, Snapchat, Amazon, LinkedIn, Netflix, Okta, Yahoo, Zynga, and many more.

The vulnerabilities have been patched, yet the researchers still found 685 Pods “that had an explicit dependency using an orphaned Pod; doubtless there are hundreds or thousands more in proprietary codebases.”

The widespread issue is further evidence of the vulnerability of the software supply chain. The researchers wrote that they often find that 70-80% of client code they review “is composed of open-source libraries, packages, or frameworks.”

The CocoaPods Vulnerabilities

The newly discovered vulnerabilities – one of which (CVE-2024-38366) received a 10 out of 10 criticality score – actually date from a May 2014 CocoaPods migration to a new ‘Trunk’ server, which left 1,866 orphaned pods that owners never reclaimed.

The other two CocoaPods vulnerabilities (CVE-2024-38368 and CVE-2024-38367) also date from the migration.

For CVE-2024-38368, the researchers said that in analyzing the source code of the ‘Trunk’ server, they noticed that all orphan pods were associated with a default CocoaPods owner, and the email created for this default owner was unclaimed-pods@cocoapods.org. They also noticed that the public API endpoint to claim a pod was still available, and the API “allowed anyone to claim orphaned pods without any ownership verification process.”

“By making a straightforward curl request to the publicly available API, and supplying the unclaimed targeted pod name, the door was wide open for a potential attacker to claim any or all of these orphaned Pods as their own,” wrote Reef Spektor and Eran Vaknin.

Once they took over a Pod, an attacker would be able to manipulate the source code or insert malicious content into the Pod, which “would then go on to infect many downstream dependencies, and potentially find its way into a large percentage of Apple devices currently in use.”

[…]

“The vulnerabilities we discovered could be used to control the dependency manager itself, and any published package.”

Downstream dependencies could mean that thousands of applications and millions of devices were exposed over the last few years, and close attention should be paid to software that relies on orphaned CocoaPod packages that do not have an owner assigned to them.

Developers and organizations should review dependency lists and package managers used in their applications, validate checksums of third-party libraries, perform periodic scans to detect malicious code or suspicious changes, keep software updated, and limit use of orphaned or unmaintained packages.

“Dependency managers are an often-overlooked aspect of software supply chain security,” the researchers wrote. “Security leaders should explore ways to increase governance and oversight over the use these tools.”

Source: CocoaPods Vulnerabilities Could Affect Apple, Facebook, TikTok

It took a while, but Microsoft has told customers that the Russian criminals who compromised its systems earlier this year made off with even more emails than it first admitted.

We’ve been aware for some time that the digital Russian break-in at the Windows maker saw Kremlin spies make off with source code, executive emails, and sensitive US government data. Reports last week revealed that the issue was even larger than initially believed and additional customers’ data has been stolen.

“We are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor, and we are providing the customers the email correspondence that was accessed by this actor,” a Microsoft spokesperson told Bloomberg. “This is increased detail for customers who have already been notified and also includes new notifications.”

Along with Russia, Microsoft was also compromised by state actors from China not long ago, and that issue similarly led to the theft of emails and other data belonging to senior US government officials.

Both incidents have led experts to call Microsoft a threat to US national security, and president Brad Smith to issue a less-than-reassuring mea culpa to Congress. All the while, the US government has actually invested more in its Microsoft kit.

Bloomberg reported that emails being sent to affected Microsoft customers include a link to a secure environment where customers can visit a site to review messages Microsoft identified as having been compromised. But even that might not have been the most security-conscious way to notify folks: Several thought they were being phished.

Source: Microsoft tells more customers their emails have been stolen • The Register