Microsoft exposed 250M customer service records due to ‘misconfiguration’ of internal database

Microsoft exposed approximately 250 million customer service records due to what the company called a “misconfiguration of an internal customer support database” used for tracking support cases.

Tech review company Comparitech and security researcher Bob Diachenko spotted the exposed records. Comparitech’s security research team uncovered several “Elasticsearch servers,” which included 14 years worth of logs of conversations between Microsoft support representatives and customers from all over the world.

In a blog post about the incident, Microsoft said the issue stemmed from a Dec. 5 change to the database that “contained misconfigured security rules that enabled exposure of the data.” Comparitech and Diachenko notified Microsoft of the problem Dec. 31, and the tech giant quickly took steps to correct it.

“Misconfigurations are unfortunately a common error across the industry,” Microsoft wrote in the blog post. “We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database.”

Microsoft said the issue was specific to the support database and does not reflect an exposure of its commercial cloud services. Per company policy, information stored in the database was redacted to remove personal information, Microsoft said.

“Our investigation confirmed that the vast majority of records were cleared of personal information in accordance with our standard practices,” according to the blog post. “In some scenarios, the data may have remained unredacted if it met specific conditions.”

Diachenko and Comparitech found plain text data in many of the records containing information such as customer email addresses and locations, IP addresses, internal confidential notes and Microsoft support agent emails

Microsoft’s investigation did not find any malicious use of the data.

Comparitech noted that these kinds of incidents can often lead to “tech support scams,” where hackers pretend to be customer service agents to get access to users’ personal information. If hackers saw this data, they could launch very effective tech support scams because they would have access to customer service records and case numbers, making their attempts to contact people seem legitimate.

A recent report from Risk Based Security found that in the first nine months of 2019, 7.9 billion personal records were exposed in data breaches. The most common type of incident was an accidental internal one, exposing customer records without the presence of a hack.