A new report today revealed that Microsoft accidentally exposed 250 million customer service and support records online. The leaked data included conversations between Microsoft support agents and customers which were recorded from 2005 to December 2019. After receiving the information about the leak, Microsoft has now secured the data from public. One good thing is that personally identifiable information was redacted in the leaked data.
The leaked data contained following information:
- Customer email addresses
- IP addresses
- Descriptions of CSS claims and cases
- Microsoft support agent emails
- Case numbers, resolutions, and remarks
- Internal notes marked as “confidential”
It is important to note that the data was left accessible to anyone without any authentication required. The data was first found on December 29th and Microsoft took action on December 30th. Microsoft fixed this issue within 24 hours!
“I immediately reported this to Microsoft and within 24 hours all servers were secured,” said Bob Diachenko of Comparitech security research team. “I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve.”
If the exposed data is already in the wrong hands, there is a high possibility that customer email addresses will be used for tech support scams. Hopefully, Microsoft will alert its customers to be careful in the coming months.
Update: Microsoft confirmed this data leak and revealed that this issue occurred due to a misconfiguration of an internal customer support database used for Microsoft support case analytics. Microsoft mentioned that it is taking action to prevent future occurrences of this issue. The actions include:
- Auditing the established network security rules for internal resources.
- Expanding the scope of the mechanisms that detect security rule misconfigurations.
- Adding additional alerting to service teams when security rule misconfigurations are detected.
- Implementing additional redaction automation.
“Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available”, wrote Microsoft.