While most of us are busy doing party and making new year resolution Microsoft’s security team was busy doing overtime to close a security loophole which almost exposed 250 million customer service and support record which can easily be accessed by any web browser for a short period it could be the biggest Microsoft’s data breach.
A security researcher Bob Diachenko and Comparitech found a security vulnerability on 28th December 2019 and quickly reported about the unprotected log files to the Microsoft team and within two days Microsoft fixed the issue.
According to Microsoft’s investigation team, it happened due to the misconfiguration of one of the internal customer support database.
While the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and hold ourselves accountable,
Ann Johnson, Corporate Vice President, Cybersecurity Solutions Group at Microsoft said in a statement late Wednesday.
The server has conversation log files which were from a period of 2005 to 2019. The database was not protected even by a single password.
We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence,
said Microsoft.
What data was exposed?
Diachenko explained that the data included personal information such as emails, contact numbers, payment information, etc.
- Customer email addresses
- IP addresses
- Locations
- Descriptions of CSS claims and cases
- Microsoft support agent emails
- Case numbers, resolutions, and remarks
- Internal notes marked as “confidential”
Microsoft customers and Windows users should be on the lookout for such scams via phone and email. Remember that Microsoft never proactively reaches out to users to solve their tech problems “users must approach Microsoft for help first
said the Comparitech team.
Microsoft said that they plan to audit their internal security and implement more tools to redact sensitive information automatically. Whenever it detects a misconfiguration it will expand alert to notify its service teams.
