In a recent blog post titled, “Access Misconfiguration for Customer Support Database,” Microsoft announced a massive database error that left around 250 million customer service and support records accessible to anyone with a web browser. Although the loophole has been closed and the company says it found no evidence of malicious use, this is a very alarming situation.
Bob Diachenko, a security researcher, and Comparitech made the discovery on 29th December 2019, which was then reported immediately. According to Microsoft:
Upon notification of the issue, engineers remediated the configuration on December 31, 2019, to restrict the database and prevent unauthorized access. This issue was specific to an internal database used for support case analytics and did not represent an exposure of our commercial cloud services.
The unguarded servers included conversation logs of Microsoft and customers dating as back as 2005. According to Microsoft, most of the compromised personal user data has been redacted.
Based on Comparitech’s statement, emails and IP addresses were stored in plain text. Hence, anyone who got their hands on the information could impersonate the company’s support staff in a phishing scheme.
The Company has started notifying users whose data was compromised and has apologized in the blog post saying:
We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence.
Apart from this, Microsoft has also claimed that it will audit its internal security rules, as well as implement additional tools to prevent situations like these in the future. This was the second major data security incident tied to Microsoft’s customer support.