Microsoft Says Security Error Exposed Customer Support Data In December

Microsoft discloses security breach of customer support database

Microsoft accidentally exposes 250 million customer support records online

Bob Diachenko, a security researcher with Security Discovery, found the improperly configured database and notified Microsoft.

According to Comparitech, much of the personally identifiable information associated with the CSS records was redacted, however numerous records contained plaintext data.

Despite the absence of financial or username/password data in the leaked database, the incident is embarrassing for Microsoft, undermining its efforts to keep its customers secure.

Microsoft didn't get into details such as the number of records exposed, the type of database that was left unprotected, or the type of personal information that was left in the open, only that data in the support case analytics database was "redacted using automated tools to remove personal information".

In a blog post today, the OS maker said that an internal customer support database that was storing anonymized user analytics was accidentally exposed online without proper protections between December 5 and December 31.

Microsoft said the issue was specific to the support database and does not reflect an exposure of its commercial cloud services.

"Our investigation confirmed that the vast majority of records were cleared of personal information in accordance with our standard practices", Microsoft said in a blog post.

What information was left exposed?

Microsoft cited the example of information with a non-standard format, such as an email address in which there was a space instead of a dot before "com".

The data was exposed after it was indexed by search engine BinaryEdge.

Comparitech says "many records contained plain text data", including customer email addresses, IP addresses, locations, descriptions of support claims and cases, support agent emails, case numbers and remarks, and internal notes marked as "confidential".

Comparitech noted that these kinds of incidents can often lead to "tech support scams", where hackers pretend to be customer service agents to get access to users' personal information. Diachenko only noticed the database after it was indexed by a search engine on December 28, and it's not clear if anyone else saw it.

The company informed Microsoft, and Microsoft quickly secured the data. Hopefully, Microsoft will alert its customers to be careful in the coming months.

"We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence", the company wrote.

Auditing the established network security rules for internal resources.

Latest News