Last month, Microsoft databases housing 250 million customer support records going back to 2005 were accidentally exposed on the open internet.
The records involved conversation logs between Microsoft support agents and customers across the globe, according to security researcher Bob Diachenko, who spotted the leak on Dec. 29 with the team at Comparitech.
Fortunately, most of the exposed records were redacted, stripped of customers' personal information, such as payment details. But in some cases, the logs still contained plain text data mentioning customers' email address, IP addresses, locations, as well as descriptions of the support claim.
The databases would've been extremely valuable for tech support scammers, who try to trick unsuspecting victims into thinking their computer is riddled with viruses. The records would've given them a launching pad to pose as Microsoft support agents, who could then refer to the old tech-support tickets to prove their legitimacy.
Not helping the matter was how anyone could access the exposed Microsoft servers via a web browser, no password needed. Diachenko reported the leak to Microsoft on the same day he discovered it, and the software giant patched the problem in two days.
"While the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable," Microsoft said in a blog post today.
The root of leak occurred on Dec. 5, when the company accidentally misconfigured the security rules around the servers, which were focused on "support case analytics." Microsoft said it uses automated tools to remove personal information from customer support records, but in some scenarios, the records can remain unredacted under "specific conditions."
"An example of this occurs if the information is in a non-standard format, such as an email address separated with spaces instead of written in a standard format (for example, 'XYZ @contoso com' vs 'XYZ@contoso.com'). We have begun notifications to customers whose data was present in this redacted database," the company added.
Microsoft adds it's taken action to prevent future accidental server misconfigurations. "We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database," the company said.
By Michael Kan