Microsoft Discloses Error in Customer Support Database Leaking 250 Million Records

General
Microsoft Discloses Error in Customer Support Database Leaking 250 Million Records

Microsoft announced that it has closed its investigation into the exposure of customer records due to a "misconfiguration of an internal customer support database" that was used to analyze support cases.

"Our investigation revealed that changes made to the database's network security group on December 5, 2019 included a misconfigured security rule that allowed data exposure. Upon notification of the issue, engineers corrected the configuration on December 31, 2019 and restricted the database to prevent unauthorized access," Microsoft said in a blog post.

Bob Diachenko, a security researcher at Security Discovery, discovered the improperly configured database and notified Microsoft. According to Compalitec and its security team, led by Diachenko, the misconfiguration affected five servers, each of which contained 250 million identical records.

"We immediately reported it to Microsoft and within 24 hours all servers were protected. I applaud the MS support team for their response and quick action, even on New Year's Eve."

Microsoft noted that "personal information was removed from the majority of records. However, this was not the case for all records."

According to Comparitech, "many records contain plain text data, including customer email addresses, IP addresses, locations, support claims and case descriptions, support agent emails , case numbers and remarks, and internal memos marked "confidential""

.

"While most of the personally identifiable information has been removed from the records, the danger of this exposure should not be underestimated. This data could be especially valuable to tech support scammers," says Comparitech.

"This is because tech support scammers can use information such as that exposed here to contact individuals or impersonate Microsoft support, citing actual case numbers and other details that only Microsoft should know.

Tech-savvy users already know to be wary of unsolicited emails and phone calls. However, in light of this incident, this is a good time to alert less knowledgeable family and friends to be aware of this type of scam.

Categories