Microsoft exposed roughly 250 million customer service and support records in December 2019, according to this blog post by Comparitech. The leak was uncovered by a Comparitech team led by Bob Diachenko, who promptly notified Microsoft of the issue. The records, more specifically the databases that contained them, were indexed by the BinaryEdge search engine on Dec. 28. Within 24 hours, according to Diachenko, Microsoft had secured all servers.
Eric Doerr, general manager at Microsoft, had this to say about the incident:
We’re thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyze data, and notify customers as appropriate.
So exactly which Microsoft records were exposed? According to Comparitech, there was no leak of mail aliases, contact numbers, and payment information. This seems fine, however, there is a large cause for concern as the following was leaked: email addresses of Microsoft customers, IP addresses, individual locations, CSS claims and cases, email addresses of support agents, case information (like numbers and unique remarks), and internal confidential notes.
While it is great that Microsoft closed the leak quickly, the fact remains that for two whole days threat actors had access to private data. This data can easily be used in a plethora of ways, mostly in social engineering schemes which always have a margin of success. Even more damning for Microsoft, as Comparitech points out, this is the second private data incident of 2019 and the third in the 2010s decade. For a company as large and trusted as Microsoft, these incidents are inexcusable.
Though researchers are fairly certain that no other third-party actors accessed the databases, there is simply no way to guarantee this. Microsoft customers should be in defensive mode, more than usual at least, as various social engineering attacks (such as tech support scams) could be heading their way.
Use common sense and you should be fine.
Featured image: Pixabay