Categories SecurityTech News

Microsoft exposed 250 million users’ private records in December

Microsoft exposed roughly 250 million customer service and support records in December 2019, according to this blog post by Comparitech. The leak was uncovered by a Comparitech team led by Bob Diachenko, who promptly notified Microsoft of the issue. The records, more specifically the databases that contained them, were indexed by the BinaryEdge search engine on Dec. 28. Within 24 hours, according to Diachenko, Microsoft had secured all servers.

Eric Doerr, general manager at Microsoft, had this to say about the incident:

We’re thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyze data, and notify customers as appropriate.

So exactly which Microsoft records were exposed? According to Comparitech, there was no leak of mail aliases, contact numbers, and payment information. This seems fine, however, there is a large cause for concern as the following was leaked: email addresses of Microsoft customers, IP addresses, individual locations, CSS claims and cases, email addresses of support agents, case information (like numbers and unique remarks), and internal confidential notes.

While it is great that Microsoft closed the leak quickly, the fact remains that for two whole days threat actors had access to private data. This data can easily be used in a plethora of ways, mostly in social engineering schemes which always have a margin of success. Even more damning for Microsoft, as Comparitech points out, this is the second private data incident of 2019 and the third in the 2010s decade. For a company as large and trusted as Microsoft, these incidents are inexcusable.

Though researchers are fairly certain that no other third-party actors accessed the databases, there is simply no way to guarantee this. Microsoft customers should be in defensive mode, more than usual at least, as various social engineering attacks (such as tech support scams) could be heading their way.

Use common sense and you should be fine.

Featured image: Pixabay

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

New Mexico sues Google for violating privacy of minors

New Mexico is suing Google for alleged privacy violations against minors, specifically that it uses…

7 hours ago

Exchange 2019: Peaceful coexistence with Exchange 2016

Exchange coexistence has been around for a long time. This can be having Exchange 2010…

11 hours ago

How to check the VM sizes available on your Azure Region

If you want to check VM sizes available to any given region, Azure Portal is…

14 hours ago

Cybersecurity 101: Close the door on open network shares

If you have open network shares on your network, you are opening the door to…

1 day ago

Spear-phishing email results in U.S. gas pipeline ransomware attack

A spear-phishing email has resulted in a U.S. gas pipeline ransomware attack. Making the attack…

1 day ago

Planning your Azure reserved instances and flexibility groups

To really lower your Azure costs, you need actionable information. Get info on flexibility groups…

2 days ago