For almost a month, the contact details of 250 million Microsoft technical support users were available online, without any protection. Alerted by security experts, Microsoft corrected the problem in 24 hours, but it is not yet known whether hackers were able to access this confidential data.
The year 2019 ended with a serious security incident at Microsoft. On December 29, cybersecurity researcher Bob Diachenko, assisted by a team at Comparitech discovered 250 million files from Microsoft customer service, put online without any protection, accessible from a simple browser without any password . Comparitech detailed the discovery in a blog post .
The team found five Elasticsearch servers , containing Microsoft customer service records over a 14-year period, starting in 2005. The data was first indexed on December 28, 2019 by the search engine BinaryEdge , before be discovered by the researcher the next day. The files contained customer email addresses, IP addresses , geographic location, complaint descriptions, Microsoft agent emails , file numbers, solutions, remarks, and confidential internal notes. A real gold mine for potential pirates.
Data exposed on the web since December 5
Bob Diachenko said he contacted Microsoft immediately, who secured all servers within 24 hours. A lot of personal information had already been redacted, and according to a Microsoft publication , most customer files did not contain identifying information. According to the firm, the leak was caused by a change in the database network security group on December 5, 2019, which means that this information was publicly available for almost a month.
There is currently no indication that a third party has accessed this data. However, all users who have already contacted Microsoft technical support or customer service should be extra vigilant. The scams to fake support are common, where people call their victims by posing as Microsoft to convince the person to disclose information or install software on their computer . If these databases have fallen into the wrong hands, they may have enough information to convince many victims.
Beware of false technical support scam
Microsoft has apologized for this server configuration error, and says it is taking action to prevent it from happening again in the future. This includes reviewing all internal network security rules, improving automatic detection and alerts for configuration errors, and automatically purging personal information from databases.
The firm also indicated that it has started contacting all of the identifiable customers in the database . Microsoft will warn the victims but will not ask for any further action from them. Remember that Microsoft technical support never contacts customers to report a problem on their computer, and never asks for a password by email, or install remote control software like TeamViewer . Any such request, via email, would therefore be a scam.