A Microsoft data breach has just exposed records of as many as 250 million customer service records. According to the company, this was caused by a “misconfiguration of an internal customer support database” which was used to track the support cases and these cases included logs of conversations between Microsoft support agents and customers from all around the world.
According to a report issued by the company, the data of all
the customers was left accessible without any password or any sort of
authentication to anyone with a web browser.
The Microsoft Data Breach was first reported by Bob Dianchenko’s security research team at Comparitech.
Ann Johnson, Corporate Vice President, Cybersecurity
Solutions Group at Microsoft issue a statement
about the Data Breach taking full responsibility for the incident and said that
according to their investigations, no malicious use was found of any customer data.
The statement read:
While the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and hold ourselves accountable,
Based on the report, the misconfiguration took place on
December 5, 2019 when changes were made to the database’s network security
However, the engineers at Microsoft did fix the issue on
December 31, 2019 and put in proper security measures.
The statement also made it clear that the Data breach only
included “support case analytics” and commercial cloud services data wasn’t
The statement read:
This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services,
The company did say that the data stored in their support
case analytics is redacted as a common operating procedure to remove any
personal information and that the investigation cleared most of the data
involved in the data breach of having no personal information present.
According to Diachenko, the information leaked was redacted
and this includes information like emails, contract numbers and even payment
Although the data breach included plain text data with
information like email addresses of customer, IP addresses, locations,
Microsoft support agent emails, case numbers and resolutions and notes
regarding the cases.
According to the security researcher, if all of this
information, the scammers have a better chance of achieving their targets
through impersonation of real Microsoft support agents and referring to actual
The Comparitech team said:
Microsoft customers and Windows users should be on the lookout for such scams via phone and email. Remember that Microsoft never proactively reaches out to users to solve their tech problems “users must approach Microsoft for help first,
According to the company, they have started issuing
notifications to customers who were affected by this breach.
Microsoft apologized to its customers in the statement
We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence.
And the company went on to thank Bob Diachenko for working with them and helping to fix it in a timely manner saying:
We also want to thank the researcher, Bob Diachenko, for working closely with us so that we were able to quickly fix this misconfiguration, investigate the situation, and begin notifying customers as appropriate.
Data breaches are becoming increasingly common now when it comes to these tech companies. Just a while back Facebook had a data breach when they lost an important hard drive containing sensitive user data.