Microsoft has disclosed a data breach in one of its customer support databases that left 250 million records open for anyone to access via web browser.
In a blog post, Microsoft confirms that “an internal database used for support case analytics” was exposed between 05th December 2019 and 31st December 2019 due to some “misconfigured security rules.”
Bob Diachenko, a security researcher, spotted the database online and reported the security loophole on 29th Dec. While everyone else was celebrating the start of a new year, people at Microsoft were busy securing the database.
250 Million Records Exposed
While Microsoft hasn’t detailed the number of consumers affected, Comparitech claims it to be 250 million customer service and support (CSS) records.
According to Comparitech, the database included logs between Microsoft customer service and consumers dating back to 2005. Interestingly, the data was neither password-protected nor it required any authentication, enabling anyone with an Internet connection to look through the details.
Microsoft says that most of the data were redacted, as part of the standard procedure of getting rid of stored personal information using automated tools.
However, as Diachenko told Comparitech, and Microsoft concurs, some information was left out since many records contained plain text. This includes customer emails, Microsoft agent emails, IP addresses, locations, case numbers, and notes and remarks on the case.
Microsoft says that it has started notifying all the consumers that were affected by the data breach. Moreover, the tech giant claims to put security practices that will help mitigate any future security rule misconfigurations.
All Windows users whoever talked to Microsoft customer representatives should be vigilant. Crooks can use the exposed information and pretend to be a Microsoft customer agent.