Microsoft data breach exposes 250 million customer service and support records

Graham Cluley
@gcluley

Microsoft has admitted that between December 5th-31st 2019, a misconfiguration of the security rules for (what should have been) an internal customer support database left it exposed for anyone to access – no password required.

According to researcher Bob Diachenko, who discovered the database was accessible to anyone capable of running a web browser, the nearly 250 million Customer Service and Support (CSS) records, contained logs of conversations between Microsoft’s support team and customers around the world.

The data, which covers a time period of 14 years from 2005 to December 2019, was found on five Elasticsearch servers, each of which contained what appears to have been an identical copy of the 250 million database records.

Sign up to our newsletter
Security news, advice, and tips.

According to a blog post by Microsoft, the “vast majority of records” had been automatically redacted to remove some personal informations.

However, Diachenko reports that many records were found to contain the following sensitive information:

  • Customer email addresses
  • IP addresses
  • Locations
  • Descriptions of CSS claims and cases
  • Microsoft support agent emails
  • Case numbers, resolutions, and remarks
  • Internal notes marked as “confidential”

Such information could clearly be useful to a scammer posing as a genuine Microsoft support technician.

Microsoft is clearly embarrassed by the goof:

“Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available.”

“We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence. We also want to thank the researcher, Bob Diachenko, for working closely with us so that we were able to quickly fix this misconfiguration, investigate the situation, and begin notifying customers as appropriate.”

Microsoft says its investigation into the security breach has “found no malicious use” of the data, but that it has begun to notify customers whose data was present in the unsecured database.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

6 comments on “Microsoft data breach exposes 250 million customer service and support records”

  1. HOW DOES THIS CONTINUALLY HAPPEN THROUGH MULTIPLE AGENCIES?HAS EVERYONE IN THE WORLD BEEN HACKED AT THIS POINT?WHAT IS SAFE ANYMORE?SEEMS LIKE NOTHING.ARE YOU GOING TO OFFER ME $125 FOR A LIFETIME OF STOLEN INFORMATION??THATS WORTH IT?????

  2. Same old same old. You can have the most sophisticated rules, security software and preventaive measures but no-one can prevent the blubware behind the keyboard from f***ing it all up. Doesn't matter who you are.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.