Microsoft data breach exposes 250 million customer service and support records

Microsoft data breach exposes 250 million customer service and support records

Microsoft has admitted that between December 5th-31st 2019, a misconfiguration of the security rules for (what should have been) an internal customer support database left it exposed for anyone to access – no password required.

According to researcher Bob Diachenko, who discovered the database was accessible to anyone capable of running a web browser, the nearly 250 million Customer Service and Support (CSS) records, contained logs of conversations between Microsoft’s support team and customers around the world.

The data, which covers a time period of 14 years from 2005 to December 2019, was found on five Elasticsearch servers, each of which contained what appears to have been an identical copy of the 250 million database records.

Sign up to our free newsletter.
Security news, advice, and tips.

According to a blog post by Microsoft, the “vast majority of records” had been automatically redacted to remove some personal informations.

However, Diachenko reports that many records were found to contain the following sensitive information:

  • Customer email addresses
  • IP addresses
  • Locations
  • Descriptions of CSS claims and cases
  • Microsoft support agent emails
  • Case numbers, resolutions, and remarks
  • Internal notes marked as “confidential”

Such information could clearly be useful to a scammer posing as a genuine Microsoft support technician.

Microsoft is clearly embarrassed by the goof:

“Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available.”

“We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence. We also want to thank the researcher, Bob Diachenko, for working closely with us so that we were able to quickly fix this misconfiguration, investigate the situation, and begin notifying customers as appropriate.”

Microsoft says its investigation into the security breach has “found no malicious use” of the data, but that it has begun to notify customers whose data was present in the unsecured database.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

6 comments on “Microsoft data breach exposes 250 million customer service and support records”

  1. F. Flintstone

    My response is probably being hacked right now. Security takes a backseat to bottom line…always!

  2. scottG

    Unacceptable. Fire Bill Gates.

    1. Graham CluleyGraham Cluley · in reply to scottG

      I don't think Bill has a day-to-day role there anymore. Or if he does, it's not configuring the security settings.

  3. Robert kuczewski

    HOW DOES THIS CONTINUALLY HAPPEN THROUGH MULTIPLE AGENCIES?HAS EVERYONE IN THE WORLD BEEN HACKED AT THIS POINT?WHAT IS SAFE ANYMORE?SEEMS LIKE NOTHING.ARE YOU GOING TO OFFER ME $125 FOR A LIFETIME OF STOLEN INFORMATION??THATS WORTH IT?????

    1. Easy on the CAPS Lock old bean…

  4. Andrew

    Same old same old. You can have the most sophisticated rules, security software and preventaive measures but no-one can prevent the blubware behind the keyboard from f***ing it all up. Doesn't matter who you are.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.