Vote 2020 graphic
Everything you need to know about and expect during
the most important election of our lifetimes

Microsoft Discloses It Left Over 250 Million Customer Support Records Exposed on Servers

Illustration for article titled Microsoft Discloses It Left Over 250 Million Customer Support Records Exposed on Servers
Photo: Stephen Brashear (Getty Images)

Microsoft inadvertently left hundreds of millions of customer service and support requests exposed on several servers without password protection from Dec. 5 to Dec. 31, 2019, the company’s Security Response Center wrote on a blog post on Wednesday.

Advertisement

Bob Diachenko of Security Discovery, the researcher who originally spotted the issue, told ZDNet that Microsoft left over 250 million user analytics records exposed on five Elastisearch servers that apparently mirrored each other. He added that the company promptly fixed the issue, despite it being New Year’s Eve.

Advertisement

Microsoft’s security team wrote in the blog post that the company works to ensure “data stored in the support case analytics database is redacted using automated tools to remove personal information” and that the “vast majority” of the 250 million entries were properly redacted. However, in some cases where the data was originally entered in a format the system didn’t recognize, the email addresses may not have been redacted (Microsoft used the example of an email address entered as “XYZ @contoso com” vs the proper format, “XYZ@contoso.com”).

“Misconfigurations are unfortunately a common error across the industry,” the Security Response Center wrote. “We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database.” The company wrote that it had no evidence that malicious parties accessed the information.

Security firm Comparitech wrote on its web site that the exposed data spanned 14 years of customer support records and that in addition to email addresses, other data that was exposed included IP addresses, location, and details of customer support cases like communications between representatives and users. The firm noted that while the information may be relatively mundane, it could be of use to scammers that pose as support agents to steal money from unwary victims. It also noted that Microsoft has faced breaches before, such as a 2013 incident involving its bug-tracking system and a compromised support agent account in 2019 that may have allowed attackers limited glimpses into Outlook.com addresses including email subject lines but not their contents.

Microsoft added in the blog post that it is working on several measures to increase security after the incident. Those include “auditing established network security rules for internal resources,” expanding detection and reporting of security rule misconfigurations, and redacting more information from records in the future.

Advertisement

"... An upperclassman who had been researching terrorist groups online." - Washington Post

Share This Story

Get our newsletter

DISCUSSION

dixie-flatline
Dixie-Flatline

I recall being at a birthday party once for a friend of a friend out at some bar. Didn’t know many of the people there, but did know they basically all worked on some backend stuff for a large bank. About 10pm and they all get a call at the same time and immediately drop everything, pay and leave. It was like I turned around and the entire party left. That’s what that must have been like for a New Year’s Eve priority 1 call like this one. I hope those people are getting properly compensated for the whole “job over life” hierarchy.