The popular researcher Bob Diachenko found an unprotected database containing over 250 million customer support records along with some personally identifiable information. The unprotected archive was containing support requests submitted to the tech giant from 2005 to December 2019.
“Today, we concluded an investigation into a misconfiguration of an internal customer support database used for Microsoft support case analytics.” reads the post published by Microsoft. “While the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable.”
Microsoft confirmed that Customer Service and Support” (CSS) records were exposed online due to a misconfigured server containing logs of conversations between the support team and its customers.
Microsoft secured the database on December 31, 2019, it also added that it is not aware of malicious use of the data.
Microsoft explained that the database was redacted using automated tools to remove the personally identifiable information of its customers, but in some sporadic cases, this information was not removed because there was not a standard format.
“Tech support scams entail a scammer contacting users and pretending to be a Microsoft support representative. These types of scams are quite prevalent, and even when scammers don’t have any personal information about their targets, they often impersonate Microsoft staff. Microsoft Windows is, after all, the most popular operating system in the world.”
Technical support logs frequently expose VIP clients, their internal architectures, such kind of data could be used by cyber criminals to compromise the customers’ systems.
The company started notifying impacted customers, below the timeline of the data leak: