Pierluigi Paganini January 23, 2020

An expert discovered that over 250 million Microsoft customer support records might have been exposed along with some personally identifiable information.

The popular researcher Bob Diachenko found an unprotected database containing over 250 million customer support records along with some personally identifiable information. The unprotected archive was containing support requests submitted to the tech giant from 2005 to December 2019.

Diachenko reported his discovery to the company that after investigating the issue admitted the data leak.

“Today, we concluded an investigation into a misconfiguration of an internal customer support database used for Microsoft support case analytics.” reads the post published by Microsoft. “While the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable.”

Microsoft confirmed that Customer Service and Support” (CSS) records were exposed online due to a misconfigured server containing logs of conversations between the support team and its customers.

Microsoft secured the database on December 31, 2019, it also added that it is not aware of malicious use of the data.

Microsoft explained that the database was redacted using automated tools to remove the personally identifiable information of its customers, but in some sporadic cases, this information was not removed because there was not a standard format.

Diachenko confirmed the presence of many records containing the following attributes:

• Customer email addresses
• IP addresses
• Locations
• Descriptions of CSS claims and cases
• Microsoft support agent emails
• Case numbers, resolutions, and remarks
• Internal notes marked as “confidential”

The availability of detailed logs in the hand of crooks could expose Microsoft customers to the risk of Tech support scams. 

“Even though most personally identifiable information was redacted from the records, the dangers of this exposure should not be underestimated. The data could be valuable to tech support scammers, in particular.” explained Diachenko.

“Tech support scams entail a scammer contacting users and pretending to be a Microsoft support representative. These types of scams are quite prevalent, and even when scammers don’t have any personal information about their targets, they often impersonate Microsoft staff. Microsoft Windows is, after all, the most popular operating system in the world.”

Technical support logs frequently expose VIP clients, their internal architectures, such kind of data could be used by cyber criminals to compromise the customers’ systems.

The company started notifying impacted customers, below the timeline of the data leak:

• December 28, 2019 – The databases were indexed by search engine BinaryEdge
• December 29, 2019 – Diachenko discovered the databases and immediately notified Microsoft.
• December 30-31, 2019 – The tech giant secured the servers and data. Diachenko and Microsoft continued the investigation and remediation process.
• Jan 21, 2020 – Microsoft disclosed additional details about the exposure as a result of the investigation.

Pierluigi Paganini

(SecurityAffairs – data leak, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]