Over 250 million Microsoft customer records were exposed online, a new report has revealed. The leaked data contains records spanning 14 years, going back to 2005. Microsoft has acknowledged the issue with its internal investigation concluding thatmisconfiguration of an internal customer support database led to this leak.
The Windows maker said that it's holding itself accountable and "taking it very seriously."
Last night, a report revealed that250 million Microsoft customer records were exposed online in a database with no password protection. "All of the data was left accessible to anyone with a web browser, with no password or other authentication needed," the reportsaid.
For what it's worth, the issue was addressed by Microsoft on the new year eve within 24 hours of being notified. The data remained exposed for about two days before the security researchers stumbled upon it and alerted Microsoft.
"This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services." - Microsoft
Most of the personally identifiable data was redacted by Microsoft
The data comes from theCustomer Service and Support (CSS) records, containing logs of conversations between Microsoft support agents and the company's customers. While most of the personallyidentifiable information, including contract numbers and payment information, was redacted, there were still many records that contained plain text data and could be misused by scammers. This data includes:
Email addressesIP addressesLocationsDescriptions of CSS claims and casesMicrosoft support agent emailsCase numbers, resolutions, and remarksInternal notes marked as “confidential”
Microsoft in its response said that "in some scenarios, the data may have remained unredacted if it met specific conditions. An example of this occurs if the information is in a non-standard format, such as an email address separated with spaces instead of written in a standard format (for example, “XYZ @contoso com” vs “[email protected]”)."
The company added that it has started to notify customers whose data was present in this redacted database.
"Misconfigurations are unfortunately a common error across the industry," Microsoft wrote. "We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database."
The Windows maker's internal investigation found that the issue occurred because of misconfigured security rules that were deployed on December 5 and have since been fixed. The company assured that it hasn't seen any malicious use of this data. However, considering how many tech support scams target Microsoft users, it wouldn't be surprising to see this data eventually being used by scammers pretendingto be Microsoft support representatives.
While some in the industry are tweeting that errors happen everywhere, lack of penalties over a company keeping 14-years-old logs and then failing to protect those logs certainly enables this laissez-faire behavior from even the biggest industry names.
zpostcode
Recruit
weather
mreligion
Yellowpages
sport
constellation
shopping
name
game
directory
literature
Word
tour
furnish
Lottery
tftnews
lyrics
News
digital
car
dir
Edu
Finance
