Microsoft exposed 250 million customer service and support records in massive privacy blunder
A new report reveals how Microsoft exposed nearly 250 million Customer Service and Support records online late last year.
The security research team at Comparitech discovered five servers, each of which contained the same 250 million logs of conversations with Microsoft support agents and customers. The records, which spanned 2005 to December 2019, were accessible to anyone with internet access; no password protection or encryption was used.
- Microsoft has a new PowerToy utility on the way -- PowerLauncher
- Windows 7 desktops are turning black
- Microsoft is testing ads in WordPad in Windows 10
The team of security researchers was led by Bob Diachenko, and he explains that most personally identifiable information had been redacted from the records. There was, however, still a great deal of information stored in plain text, including: customer email addresses, IP addresses, locations, descriptions of CSS claims and cases, Microsoft support agent emails, case numbers, case resolutions, case remarks, and internal notes marked as "confidential".
Comparitech shares details of the timeline of events:
- December 28, 2019 -- The databases were indexed by search engine BinaryEdge
- December 29, 2019 -- Diachenko discovered the databases and immediately notified Microsoft.
- December 30-31, 2019 -- Microsoft secured the servers and data. Diachenko and Microsoft continued the investigation and remediation process.
- Jan 21, 2020 -- Microsoft disclosed additional details about the exposure as a result of the investigation.
Diachenko praised Microsoft for the speed of its response, saying:
I immediately reported this to Microsoft and within 24 hours all servers were secured. I applaud the MS support team for responsiveness and quick turnaround on this despite New Year's Eve.
Microsoft was similarly complimentary of Diachenko. Eric Doerr, general manager at the company said: "We're thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyze data, and notify customers as appropriate".
While the exposed data itself should not pose much of a risk, it could still be used in phishing scams, so Microsoft customers are advised to be on the lookout.