Microsoft has admitted that between December 5th-31st 2019, a misconfiguration of the security rules for (what should have been) an internal customer support database left it exposed for anyone to access – no password required.
According to researcher Bob Diachenko, who discovered the database was accessible to anyone capable of running a web browser, the nearly 250 million Customer Service and Support (CSS) records, contained logs of conversations between Microsoft’s support team and customers around the world.
The data, which covers a time period of 14 years from 2005 to December 2019, was found on five Elasticsearch servers, each of which contained what appears to have been an identical copy of the 250 million database records.
According to a blog post by Microsoft, the “vast majority of records” had been automatically redacted to remove some personal informations.
However, Diachenko reports that many records were found to contain the following sensitive information:
- Customer email addresses
- IP addresses
- Descriptions of CSS claims and cases
- Microsoft support agent emails
- Case numbers, resolutions, and remarks
- Internal notes marked as “confidential”
Such information could clearly be useful to a scammer posing as a genuine Microsoft support technician.
Microsoft is clearly embarrassed by the goof:
“Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available.”
“We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence. We also want to thank the researcher, Bob Diachenko, for working closely with us so that we were able to quickly fix this misconfiguration, investigate the situation, and begin notifying customers as appropriate.”
Microsoft says its investigation into the security breach has “found no malicious use” of the data, but that it has begun to notify customers whose data was present in the unsecured database.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
6 comments on “Microsoft data breach exposes 250 million customer service and support records”
My response is probably being hacked right now. Security takes a backseat to bottom line…always!
Unacceptable. Fire Bill Gates.
I don't think Bill has a day-to-day role there anymore. Or if he does, it's not configuring the security settings.
HOW DOES THIS CONTINUALLY HAPPEN THROUGH MULTIPLE AGENCIES?HAS EVERYONE IN THE WORLD BEEN HACKED AT THIS POINT?WHAT IS SAFE ANYMORE?SEEMS LIKE NOTHING.ARE YOU GOING TO OFFER ME $125 FOR A LIFETIME OF STOLEN INFORMATION??THATS WORTH IT?????
Easy on the CAPS Lock old bean…
Same old same old. You can have the most sophisticated rules, security software and preventaive measures but no-one can prevent the blubware behind the keyboard from f***ing it all up. Doesn't matter who you are.