A Microsoft data breach has just exposed records of as many as 250 million customer service records. According to the company, this was caused by a “misconfiguration of an internal customer support database” which was used to track the support cases and these cases included logs of conversations between Microsoft support agents and customers from all around the world.
According to a report issued by the company, the data of all the customers was left accessible without any password or any sort of authentication to anyone with a web browser.
The Microsoft Data Breach was first reported by Bob Dianchenko’s security research team at Comparitech.
Read more: Google finds problems in Apple Safari browser.
Ann Johnson, Corporate Vice President, Cybersecurity Solutions Group at Microsoft issue a statement about the Data Breach taking full responsibility for the incident and said that according to their investigations, no malicious use was found of any customer data.
The statement read:
While the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and hold ourselves accountable,
Based on the report, the misconfiguration took place on December 5, 2019 when changes were made to the database’s network security group.
However, the engineers at Microsoft did fix the issue on December 31, 2019 and put in proper security measures.
The statement also made it clear that the Data breach only included “support case analytics” and commercial cloud services data wasn’t affected.
The statement read:
This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services,
The company did say that the data stored in their support case analytics is redacted as a common operating procedure to remove any personal information and that the investigation cleared most of the data involved in the data breach of having no personal information present.
According to Diachenko, the information leaked was redacted and this includes information like emails, contract numbers and even payment information.
Although the data breach included plain text data with information like email addresses of customer, IP addresses, locations, Microsoft support agent emails, case numbers and resolutions and notes regarding the cases.
According to the security researcher, if all of this information, the scammers have a better chance of achieving their targets through impersonation of real Microsoft support agents and referring to actual case numbers.
The Comparitech team said:
Microsoft customers and Windows users should be on the lookout for such scams via phone and email. Remember that Microsoft never proactively reaches out to users to solve their tech problems “users must approach Microsoft for help first,
According to the company, they have started issuing notifications to customers who were affected by this breach.
Microsoft apologized to its customers in the statement saying:
We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence.
And the company went on to thank Bob Diachenko for working with them and helping to fix it in a timely manner saying:
We also want to thank the researcher, Bob Diachenko, for working closely with us so that we were able to quickly fix this misconfiguration, investigate the situation, and begin notifying customers as appropriate.
Data breaches are becoming increasingly common now when it comes to these tech companies. Just a while back Facebook had a data breach when they lost an important hard drive containing sensitive user data.