Latest in Gear

Image credit:

Microsoft accidently exposed 250 million customer service records

The company says it found no evidence of malicious use.
Igor Bonifacic, @igorbonifacic
January 22, 2020
7 Shares
Share
Tweet
Share

Sponsored Links

NurPhoto via Getty Images

While most people were out celebrating the start of a new year, Microsoft's security teams were working overtime to close a potentially enormous security loophole. On Thursday, the company disclosed a database error that temporarily left approximately 250 million customer service and support records accessible to anyone with a web browser.

Security researcher Bob Diachenko and Comparitech discovered the vulnerability on December 29th. Microsoft quickly fixed the issue two days later. It says the exposure was caused by a "misconfiguration" of one of its internal customer support databases. The company claims it found no evidence of "malicious use."

The server included conversation logs dating as far back as 2005 between Microsoft support personnel and customers from across the world. According to Comparitech, the database wasn't password-protected.

Microsoft says the "vast majority" of personal data that was exposed was redacted. However, Comparitech notes some information, such as email and IP addresses, was stored in plain text. Had someone been able to access the logs, they could have used them to more easily impersonate the company's support staff in a phishing scheme.

"We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence," Microsoft said. The company has started notifying people whose data was stored on the database.

In the wake of this latest exposure, Microsoft says it plans to audit its internal security rules, as well as implement additional tools to redact sensitive user information automatically. It will also put in place new and expanded alerts to notify its service teams when it detects a security misconfiguration.

For Microsoft, this is its second major data security incident tied to its customer support system in a single year. In April 2019, the company disclosed that hackers had used a customer support representative's credentials to breach the email accounts of some of its users. Ultimately, the issue in both cases is that internal support systems have almost unprecedented levels of access to user information, making them enticing targets to hackers. Dave Aitel, the chief security technology officer at Cyxtera, told Wired at the time of the Microsoft email breach, "support is a big security hole waiting to happen."

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
7 Shares
Share
Tweet
Share

Popular on Engadget

The 2020 Engadget Holiday Gift Guide

The 2020 Engadget Holiday Gift Guide

View
A copy of ‘Super Mario Bros. 3’ sold for $156,000

A copy of ‘Super Mario Bros. 3’ sold for $156,000

View
Roku adds AMC+ to its streaming channel

Roku adds AMC+ to its streaming channel

View
Beloved RPG 'The World Ends With You' will get a sequel, 14 years later

Beloved RPG 'The World Ends With You' will get a sequel, 14 years later

View
How to make sense of Logitech's universal remote lineup

How to make sense of Logitech's universal remote lineup

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr