Data Protection
Getty Images

Microsoft admits exposing 250 million customer service records

The huge database included customer details and could be viewed by anyone

Like GearBrain on Facebook

Microsoft has admitted that nearly 250 million customer service records were left exposed for all to see in late 2019.

The huge database was replicated on five servers, all of which could be accessed by anyone who knew their location online, as they were not protected with a password.

Read More:

The exposed data included conversation logs between Microsoft support staff and customers from all over the world, and spanned a 14-year period from 2005 to 2019.

Thankfully, most personal data like customer contact numbers and payment information was redacted, but visible data included customer email addresses, IP addresses and locations, as well as emails from Microsoft support agents, case number, resolutions and remarks, and internal notes marked as "confidential".

Cybersecurity expert Graham Clueley wrote on his website: "Such information could clearly be useful to a scammer posing as a genuine Microsoft support technician."

The vulnerable database was first discovered by security researcher Bob Diachenko and cybersecurity website Comparitech, who contacted Microsoft on December 29, 2019. The issue was then fixed by January 1.

Microsoft Support webpage The database included details of Microsoft Support conversations with customers all over the worldMicrosoft

Writing in a blog post this week, Microsoft said it had not found any evidence of the data being used maliciously. Blaming security changes made to the database on December 5, Microsoft said most personal information was redacted. However, it also said that, in cases where email addresses mistakenly included a space or other typing errors, personally identifiable information may have been exposed.

The company said: "Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we've learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available."

Microsoft added: "We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence."

Like GearBrain on Facebook
Show Comments ()

THE GEARBRAIN