Rackspace revealed on Thursday that the attackers behind last month’s incident had accessed some of its customers’ Personal Storage Table (PST) files, which can contain a wide range of information, including emails, calendar data, contacts and tasks.

This update comes after Rack space confirmed that the Play ransomware operation was behind the cyberattack that destroyed its hosted Microsoft Exchange environment in December.

As discovered during the now-completed investigation by cybersecurity firm Crowdstrike, the attackers gained access to the personal storage folders of 27 Rackspace customers.

However, the company added that there was no evidence that it viewed the contents of the backup files it viewed or misused the information.

“Of the nearly 30,000 clients in the Hosted Exchange email environment at the time of the attack, forensic investigation determined that the threat actor had accessed a Personal Storage Table (‘PST’ ) from 27 Hosted Exchange customers,” Rackspace said. said in a crash report update shared with BleepingComputer in advance.

“We have already proactively communicated our findings to these customers, and importantly, according to Crowdstrike, there is no evidence that the threat actor actually saw, obtained, abused or distributed the emails or data. of the 27 Hosted Exchange customers in the PSTs. however.”

“Customers who have not been contacted directly by the Rackspace team can rest assured that their PST data has not been accessed by the threat actor.”

Although RackSpace claims there is no evidence that threat actors accessed customer data, history has shown that this is invariably not the case.

Moreover, even if the data cannot be leaked if a ransom is paid or for some other reason, it is very likely that customer data was at least accessed during the attack.

Affected customers can download some recovered PST data

Since discovery of the attack December 2 and confirming the resulting outage was caused by a ransomware attack, Rackspace offered affected customers free licenses to migrate their email from its Hosted Exchange platform to Microsoft 365.

The cloud computing provider also provides affected customers download links to recovered historical mailbox data (containing emails before December 2) through its customer portal via an automated queue.

“As a reminder, we are proactively notifying customers for whom we have recovered more than 50% of their mailboxes,” the company said.

“We will continue to work to recover all possible data as planned, however, in parallel, we are developing an on-demand solution for customers who still wish to download their data. We expect the on-demand solution to be available in two weeks. “

Earlier today, BleepingComputer asked a Rackspace spokesperson if email data was restored from Rackspace backups or using a decryption tool provided by Play ransomware attackers. We will update the article when we have an answer.

Rackspace added in today’s update that its Hosted Exchange environment will be disrupted, saying it was already planning to migrate customers to Microsoft 365 even before the December ransomware attack.

“Finally, the Hosted Exchange messaging environment will not be rebuilt as an advanced service offering,” Rackspace said.

“Even before the recent security incident, the Hosted Exchange messaging environment had already been planned for migration to Microsoft 365, which has a more flexible pricing model, as well as more modern features and functionality.”