Microsoft has admitted it exposed nearly 250 million customer service records owing to "misconfiguration of an internal customer support database" used for tracking support cases that included logs of conversations between Microsoft support agents and customers from all over the world. All of the Microsoft customers' data was left accessible to anyone with a Web browser, with no password or other authentication needed, it was reported first by the Comparitech security research team led by Bob Diachenko.
"While the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and hold ourselves accountable," Ann Johnson, Corporate Vice President, Cybersecurity Solutions Group at Microsoft said in a statement late Wednesday.
Microsoft's investigation determined that a change made to the database's network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data.
According to the company, its engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorised access.
"This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services," said the tech giant in a blog post.
The records contained logs of conversations spanned a 14-year period from 2005 to December 2019.
"We want to sincerely apologise and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence," said Microsoft.
The company thanked Diachenko for helping it fix the misconfiguration.
"I immediately reported this to Microsoft and within 24 hours all servers were secured," Diachenko said. "I applaud the MS support team for responsiveness and quick turnaround on this despite New Year's Eve."
Diachenko explained that most of the personally identifiable information "emails, contract numbers, and payment information" was redacted.
However, many records contained plain text data, including but not limited to customer email addresses, IP addresses, locations, Microsoft support agent emails, case numbers, resolutions, and remarks and internal notes marked as "confidential".
According to the researchers, with detailed logs and case information in hand, scammers stand a better chance of succeeding against their targets.
If scammers obtained the data before it was secured, they could exploit it by impersonating a real Microsoft employee and referring to a real case number.
"Microsoft customers and Windows users should be on the lookout for such scams via phone and email. Remember that Microsoft never proactively reaches out to users to solve their tech problems "users must approach Microsoft for help first," said the Comparitech team.
This is not Microsoft's first data security incident.
In 2013, hackers broke into the company's secret database for tracking bugs in its software.
Between January and March 2019, hackers compromised the account of a Microsoft support agent. The company said there was a possibility that the hacker accessed the contents of some Outlook users' accounts.