Categories SecurityTech News

Microsoft exposed 250 million users’ private records in December

Microsoft exposed roughly 250 million customer service and support records in December 2019, according to this blog post by Comparitech. The leak was uncovered by a Comparitech team led by Bob Diachenko, who promptly notified Microsoft of the issue. The records, more specifically the databases that contained them, were indexed by the BinaryEdge search engine on Dec. 28. Within 24 hours, according to Diachenko, Microsoft had secured all servers.

Eric Doerr, general manager at Microsoft, had this to say about the incident:

We’re thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyze data, and notify customers as appropriate.

So exactly which Microsoft records were exposed? According to Comparitech, there was no leak of mail aliases, contact numbers, and payment information. This seems fine, however, there is a large cause for concern as the following was leaked: email addresses of Microsoft customers, IP addresses, individual locations, CSS claims and cases, email addresses of support agents, case information (like numbers and unique remarks), and internal confidential notes.

While it is great that Microsoft closed the leak quickly, the fact remains that for two whole days threat actors had access to private data. This data can easily be used in a plethora of ways, mostly in social engineering schemes which always have a margin of success. Even more damning for Microsoft, as Comparitech points out, this is the second private data incident of 2019 and the third in the 2010s decade. For a company as large and trusted as Microsoft, these incidents are inexcusable.

Though researchers are fairly certain that no other third-party actors accessed the databases, there is simply no way to guarantee this. Microsoft customers should be in defensive mode, more than usual at least, as various social engineering attacks (such as tech support scams) could be heading their way.

Use common sense and you should be fine.

Featured image: Pixabay

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

The new brain drain: What if WFH tech employees don’t come back?

Offices are reopening, but after months of a work-from-home routine, many employees may not want…

4 hours ago

Amazon Fraud Detector generally available

Online payment frauds are a threat to any company doing business on the Web. Amazon…

7 hours ago

Identity and access management sector buzzes with new funding, partnerships, solutions

Because no organization wants to end up in the headlines for a data breach, there…

10 hours ago

Remove virtual machines and virtual hard disks completely with PowerShell

Deleting virtual machines is easy, but if you don’t also remove virtual hard disks, you…

1 day ago

Secure your WordPress website: Simple steps to stay safe

Many small businesses use WordPress to build their website. And while WordPress has many options…

1 day ago

Qumulo raises $125M for cloud data management across a hybrid setup

Qumulo is an up-and-coming data management solution focusing on managing files in a hybrid setup.…

4 days ago