250 Million Microsoft Customer Records Exposed Online – Company Says It’s “Taking It Very Seriously”
Over 250 million Microsoft customer records were exposed online, a new report has revealed. The leaked data contains records spanning 14 years, going back to 2005. Microsoft has acknowledged the issue with its internal investigation concluding that misconfiguration of an internal customer support database led to this leak.
The Windows maker said that it's holding itself accountable and "taking it very seriously."
Last night, a report revealed that 250 million Microsoft customer records were exposed online in a database with no password protection. "All of the data was left accessible to anyone with a web browser, with no password or other authentication needed," the report said.
For what it's worth, the issue was addressed by Microsoft on the new year eve within 24 hours of being notified. The data remained exposed for about two days before the security researchers stumbled upon it and alerted Microsoft.
"This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services." - Microsoft
Most of the personally identifiable data was redacted by Microsoft
The data comes from the Customer Service and Support (CSS) records, containing logs of conversations between Microsoft support agents and the company's customers. While most of the personally identifiable information, including contract numbers and payment information, was redacted, there were still many records that contained plain text data and could be misused by scammers. This data includes:
- Email addresses
- IP addresses
- Descriptions of CSS claims and cases
- Microsoft support agent emails
- Case numbers, resolutions, and remarks
- Internal notes marked as “confidential”
Microsoft in its response said that "in some scenarios, the data may have remained unredacted if it met specific conditions. An example of this occurs if the information is in a non-standard format, such as an email address separated with spaces instead of written in a standard format (for example, “XYZ @contoso com” vs “XYZ@contoso.com”)."
The company added that it has started to notify customers whose data was present in this redacted database.
"Misconfigurations are unfortunately a common error across the industry," Microsoft wrote. "We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database."
The Windows maker's internal investigation found that the issue occurred because of misconfigured security rules that were deployed on December 5 and have since been fixed. The company assured that it hasn't seen any malicious use of this data. However, considering how many tech support scams target Microsoft users, it wouldn't be surprising to see this data eventually being used by scammers pretending to be Microsoft support representatives.
While some in the industry are tweeting that errors happen everywhere, lack of penalties over a company keeping 14-years-old logs and then failing to protect those logs certainly enables this laissez-faire behavior from even the biggest industry names.