Microsoft discloses security breach of customer support database

Joanna Estrada
January 22, 2020

Microsoft disclosed a security breach caused by a misconfigured internal customer support database that led to the accidental exposure of roughly 250 million customer support and service records, some of them containing personally identifiable information.

Bob Diachenko spotted the major privacy snafu a day after databases across five Elasticsearch servers were indexed by the BinaryEdge search engine on December 28.

Each contained a seemingly identical trove of Microsoft Customer Service and Support (CSS) records spanning a 14-year period. Microsoft fixed this issue within 24 hours! That's critical because Microsoft requires data stored in support-case analytics databases to be redacted so that personal information is removed.

Microsoft said that most of the records didn't contain any personal user information.

What information was left exposed?

"In some scenarios, the data may have remained unredacted if it met specific conditions". The data was exposed between December 5 and December 31.

For instance, email addresses separated with spaces like "username @" instead of "" were left untouched by Microsoft's automated PII redaction tools.

Comparitech says "many records contained plain text data", including customer email addresses, IP addresses, locations, descriptions of support claims and cases, support agent emails, case numbers and remarks, and internal notes marked as "confidential".

This presented not just a phishing risk but a valuable collection of data for tech support scammers who impersonate call center agents from Microsoft and other companies to install malware on victim machines and steal financial data. Microsoft has posted further information about the incident here. For example, they could cite actual case numbers gathered from the exposed database. Eric Doerr, general manager at the company said: "We're thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyze data, and notify customers as appropriate". Diachenko only noticed the database after it was indexed by a search engine on December 28, and it's not clear if anyone else saw it.

What is Microsoft doing to prevent another exposure?

After receiving the information about the leak, Microsoft has now secured the data from public. Microsoft mentioned that it is taking action to prevent future occurrences of this issue.

Auditing the established network security rules for internal resources.

Other reports by Click Lancashire

Discuss This Article