This article has been reproduced for the benefit of our readers. Original article by Steve Symanovich, a Norton employee
- 250 million Microsoft customer records were exposed on an online database without password protection.
- The exposed information included customer records from 2005 to December 2019. Exposed customer service and support logs included conversations between Microsoft support agents and customers.
- Most personally identifiable information was redacted, although some customer email addresses, IP addresses, geographical locations, and other data were exposed.
- Comparitech security researchers led by Bob Diachenko found the breach and notified Microsoft. Microsoft secured its database within 24 hours.
- The risk? Cybercriminals could use the exposed information in tech-support scams or phishing scams.
Microsoft has acknowledged an access misconfiguration where 250 million customer records were exposed on a database without password protection.
The exposed records — including conversations with customers and Microsoft support agents — date from 2005 to December 2019.
The exposed information could raise the risk of tech-support scams targeting Microsoft customers. Scammers might be able to use the information to pretend they’re Microsoft support agents and try to trick customers into sharing their personal information.
Microsoft said there in no evidence that cybercriminals accessed the exposed information.
What data was exposed?
Most of the information exposed were customer service and support logs. Companies often keep this information as a record of conversations with customers.
In the Microsoft breach, most personally identifiable information was redacted from the records — meaning it was removed.
For some customers, additional information was exposed. Here’s what may have been included in those cases.
- Customer email addresses.
- IP addresses.
- Microsoft support agent emails.
- Case numbers and resolutions.
- Internal notes marked as confidential.
“The added information could make you at risk of tech support scams pretending to be Microsoft. How? Scammers may have accessed lists of Microsoft customers and their emails addresses.”
How do I protect against tech support scams?
Here are some tips to help protect yourself against tech support scams.
- Keep in mind most large corporations, including Microsoft, will not reach out to you about your tech problems. You have to initiate the communication. If someone is reaching out proactively, be suspicious. Even if they are following up on a recent, coincidental call of yours, hang up the phone. Call back the official support number on the company page – and not a number that was sent to you.
- If the inquiry is over email, be careful about the source and destination of the incoming message. Do not share personally identifiable information over email. Most large companies will never ask for your password or other PII (Personal Identifiable Information) over email – and possibly not even over the phone. Most large companies have more secure methods of authenticating users.
- Report any suspicious activity to the company. This will help the company remediate the situation.
- If passwords were exposed in a data breach, it’s a good idea to change your password in the relevant account. If you used the same password for any other accounts, change those passwords, too. It’s smart to use a unique, complex passwords for each of your accounts.
What was the timeline on the Microsoft breach?
Comparitech, the company that found the Microsoft data breach, said the data was exposed for about two days. The company included this timeline in a blog post.
- December 28, 2019 – The databases were indexed by search engine BinaryEdge.
- December 29, 2019 – Comparitech researcher Bob Diachenko discovered the databases and notified Microsoft.
- December 30-31, 2019 – Microsoft secured the servers and data. Diachenko and Microsoft continued the investigation and remediation process.
- Jan 21, 2020 – Microsoft disclosed additional details about the exposure as a result of the investigation.
In a blog post, Microsoft wrote, “We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence. We also want to thank the researcher, Bob Diachenko, for working closely with us so that we were able to quickly fix this misconfiguration, investigate the situation, and begin notifying customers.”
What is Microsoft doing?
Microsoft said it concluded an investigation into a “misconfiguration of an internal customer support database used for Microsoft support case analytics.” The company said it is taking these steps.
- Sending notifications to customers whose data was affected by the data breach.
- Taking action to prevent future occurrences of this issue.
- Auditing the established network security rules for internal resources.
- Expanding the scope of the mechanisms that detect security rule misconfigurations.
- Adding additional alerting to service teams when security rule misconfigurations are detected.
A major data breach is a reminder that cybercriminals who access exposed data, which sometimes can include PII, can use it for a variety of crimes, including identity theft. It’s also important to know that many of these crimes can occur years after a breach.