#LeakAlert: Microsoft exposed over 250 million customer support records
Microsoft is facing flak for exposing over 250 million customer service records on several open servers. The issue reportedly occurred due to the "misconfiguration of an internal customer support database" used for tracking service/support cases. Thankfully though, the Redmond giant plugged the leak soon after being notified. Here's all you need to know about it.
Data exposed throughout December
As first noted by tech blog Comparitech and security researcher Bob Diachenko, Microsoft left hundreds of millions of customer service and support requests exposed on five Elasticsearch servers mirroring each other. The data was available without password protection between December 5, 2019, and December 31, 2019, and anyone who knew where to look could have accessed it easily.
14 years' worth of conversations were left open
According to Comparitech, which analyzed the leak, the data exposed had as much as 14 years' worth of conversations between Microsoft support representatives and customers from all over the world. These conversations could have included details related to personal accounts (like Skype username/email/location), hardware, and software, which a hacker - if they gain unauthorized access - could use for phishing attacks/scams.
However, Microsoft says 'vast majority' of personal information redacted
While disclosing the leak, Microsoft claimed that the personal information stored in the leaked database was removed through automated tools. "Our investigation confirmed that the vast majority of records were cleared of personal information in accordance with our standard practices," the company said in a blog post, adding that "In some scenarios, the data may have remained unredacted if it met specific conditions."
What were the specific conditions?
Per Microsoft, if the personal information was written in a format different from the standard one - like xyz @gmail com instead of xyz@gmail.com - it wouldn't have been redacted from the database.
Also, no evidence of unauthorized access
In the same post, Microsoft also claimed that it has found no evidence indicating that an unauthorized party (apart from the security researcher who found it) got unauthorized access to this data while it was being exposed. The company added that servers in question were protected on December 31 and they are working on added steps to prevent such an incident from happening again.
