Microsoft is coming under fire for a breach in customer privacy after it was revealed that the records of 250 million customers were exposed late last year. The data leak was initially reported on by security firm Comparitech, which found the information spread across five Elasticsearch servers.
According to Comparitech, all five servers contained identical information from the 250 million customer records. The scope of the data unearthed was vast, covering a time period spanning from 2005 through December 2019. And what's even more unsettling is that this information was publicly indexed, meaning that anyone could access the information.
Information that was exposed included customer email addresses, IP addresses, descriptions of ongoing claims and cases, email addresses of Microsoft support representatives, location data, and "confidential" internal notes penned by Microsoft support reps. Fortunately, personally-identifiable data like contract numbers and payment information was scrubbed from the records.
Still, the leaked information could prove valuable to ubiquitous tech support scammers that are a thorn in the sides of PC users -- particularly older Windows customers. These scammers often impersonate Microsoft support staff in order to persuade their victims into signing up for paid services. As the security firm explains:
With detailed logs and case information in hand, scammers stand a better chance of succeeding against their targets. If scammers obtained the data before it was secured, they could exploit it by impersonating a real Microsoft employee and referring to a real case number. From there, they could phish for sensitive information or hijack user devices.
Comparitech reports that it first discovered the publicly-accessible data on December 29th -- the day after it was first indexed by BinaryEdge -- and immediately contacted Microsoft.
"Within 24 hours all servers were secured,” writes Comparitech security researcher Bob Diachenko. “I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve.”
For its part, Microsoft attributed the breach to an "access misconfiguration" and that it "found no malicious use" of the data. The company went on to add that "This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services."
"We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence," Microsoft concluded.