Microsoft Exposes 250 Million Customer Records: What to Do

Microsoft reports that the company will now audit network security rules for internal resources, expand its scope of mechanisms that detect improper security rules, and add more alerting services for when rules aren't being properly followed.  In the meantime, Microsoft customers should be careful about email phishing scams and tech support scams. Remember, Microsoft agents will never proactively call you to ask about your device, so be suspicious if you didn't call first. 

January 1, 2020 – In Breaking News – CNN

Microsoft exposed nearly 250 million customer-service and customer-support records on the web for anyone to see.

Security researchers working with Comparitech discovered the unprotected data, which consisted of five identical databases containing conversation logs between Microsoft support agents and customers.

Spanning 14 years (from 2005 to December 2019), the exposed conversations included some customer email addresses, IP addresses, locations, descriptions of claims, case numbers and support agent’s emails.

Microsoft said it concluded an investigation into a “misconfiguration of an internal customer support database” in a notice posted on the Microsoft website.

“No malicious use was discovered but customers had “personally identifiable information exposed.”

“We want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable,” Microsoft wrote.

How was the information exposed?

Microsoft said the problem stemmed from a change made to the database on Dec. 5 that contained misconfigured security rules that left the data unsecured.

Security researcher Bob Diachenko, who works with Comparitech, notified Microsoft of the issue on Dec. 29 and Microsoft had locked down the database by Dec. 31.

Microsoft claims the issue was limited to an internal database used for support-case analytics and not commercial cloud services.

That’s critical because Microsoft requires data stored in support-case analytics databases to be redacted so that personal information is removed.

As a result, the “vast majority of records” didn’t contain personal information, including email addresses, most of which were redacted.

What information was left exposed?

Unfortunately, data was left unredacted if it met certain conditions.

Microsoft cited the example of information with a non-standard format, such as an email address in which there was a space instead of a dot before “com”.

But the types of data exposed extend far beyond email addresses, according to Comparitech.

Diachenko said IP addresses, locations, descriptions of claims, support agent emails, case numbers and internal notes marked as “confidential” were also unprotected in at least some cases.

While truly sensitive data — dates of birth, credit card info or email aliases — were redacted or were never entered in the first place, the data left exposed could still be used by tech-support scammers.

With this information, the scammers could be more convincing when they called random people and claim to be legitimate Microsoft tech-support agents.

For example, they could cite actual case numbers gathered from the exposed database.

Continue reading… Microsoft exposes 250 million customer records: What to do

Learn More…

(The NSA has discovered a software flaw in Microsoft’s Windows 10 operating system which could have exposed users to hacking or surveillance. CNET senior producer Dan Patterson joins CBSN to explain the significance and what’s being done about it. Courtesy of CBS News and YouTube. Posted on Jan 14, 2020.)

AST strives to meet a 3 STAR trustworthiness rating, based on the following criteria:

  • Provides named sources
  • Reported by more than one notable outlet
  • Includes supporting video, direct statements, or photos

Subscribe to the AST Daily News Alert Here.