250 million Microsoft customer records published Online

250 million Microsoft customer records published Online

For most of December, Microsoft left approximately 250 million customer service and customer support records on the Web for anyone to view

Security researchers working for the UK tech news site Comparitech discovered the unprotected data, consisting of five identical databases holding logs of conversations between Microsoft technical support agents and customers

Over a 14-year period (2005 to December 2019), the publicly available logs included customer email addresses, IP addresses, locations, complaints, case numbers, and support agent emails

In a notice posted on Microsoft's website, Microsoft stated that it had investigated "a misconfiguration of its internal customer support database No malicious use was found, but customers were "exposed to personally identifiable information"

"We want to reassure all customers that we are transparent about this incident, we take it very seriously, and we are accountable," Microsoft wrote

According to Microsoft, the problem stems from a change made to the database on December 5, which included an incorrect security rule that left data unprotected

Security researcher Bob Diachenko, working with Comparitech to find the unprotected database online, notified Microsoft of the problem on December 29, and Microsoft had until December 31 to locked down

Microsoft claims that the problem is limited to internal databases used for support case analysis and not commercial cloud services This is very important because Microsoft requires that data stored in the database for support case analysis be redacted so that personal information is removed

As a result, "most records" did not contain personal information, including e-mail addresses, most of which were redacted

Unfortunately, some data was left unredacted if certain conditions were met Microsoft cited examples of non-standard formatting of information, such as e-mail addresses with a space instead of a dot before the "com"

However, according to Comparitech, the types of data released go beyond e-mail addresses According to Diachenko, IP addresses, locations, claims, support agent emails, case numbers, and internal memos marked "confidential" were also unprotected in at least some cases

Truly sensitive data, such as birth dates, credit card information, and email aliases, were either redacted or never entered in the first place, but the possibility still remains that data that remains public could be used by technical support fraudsters

With this information, scammers can be more convincing when they call random people and claim to be legitimate Microsoft tech support agents For example, they can cite actual case numbers collected from the exposed database

Microsoft has found no evidence that the exposed data was used maliciously, and the information contained in the database is only moderately sensitive Diachenko did not become aware of the database until after it was indexed by the search engine on December 28, and it is not certain whether anyone else saw it

Whenever Diachenko and his team discover an unprotected database online, they are often unsure whether someone else found it before them or whether they retrieved something from it

Still, Microsoft customers should be aware of email phishing and technical support scams Microsoft agents will not proactively call you to ask about your device, so be suspicious if you don't call first

Microsoft apologized for failing to protect customer information and promised to take further steps to prevent similar situations

"We sincerely apologize and want to reassure our customers that we take this matter seriously and are working diligently to prevent a recurrence," the company wrote

The company will expand the scope of its mechanism to audit network security rules for internal resources, detect inappropriate security rules, and add additional alert services when rules are not properly followed

Categories