[simondedalus]

we grit our teeth and "believe" that anyone traceably affected got an email directly from the company or something :D

(that said, google main page vulnerable to xss is kind of like... what, we're afraid someone will take over google and put some cryptominers on the google.com main page?)

[dlitz]

Well, a compromised google.com main page could return malicious search results for certain queries. How many Windows sysadmins install PuTTY by googling "putty", and then installing an executable from whatever site shows up in the first couple of results?...

[Piskvorrr]

If the primary install method is "search and download whatever manually from the internet," you have bigger issues than a potential Google compromise: create a site with better ranking than the canonical HTTP (!) download page, MITM the HTTP download, whatever.

[WrtCdEvrydy]

The Microsoft Approach... 'people totally didn't access your email body... except we eventually owned up to it after it got leaked'

[mehrdadn]

Where did they deny that anybody's email bodies were read? I'm looking for it and I can't find it. I only see that they told the other 94%(?) of people that unauthorized access did not reveal the contents of their messages in particular, which seems to be truthful?

[WrtCdEvrydy]

Initial email said the body wasn't affected, and motherboard asked for a confirmation, so they said 'Yes'.

6% of the people received a specific email saying the body of their email was accessed and they had to backtrack.

[mehrdadn]

Well the email said:

> This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments, between January 1st 2019 and March 28th 2019.

Notice it says your email account. The whole email is about the account of the recipient, not those of other recipients. Given that they explicitly worded it this way and people clearly misinterpreted it to mean something else, I hope you can forgive me for being a little skeptical of third-party anecdotes that suggest Microsoft claimed nobody's email contents were accessed...