Security research company Comparitech.com recently made a discovery of 250 million Microsoft records which were exposed on the web.
The specific form that this data took was Customer Service and Support records (CSS), which includes customer email addresses, IP addresses and locations as well as descriptions of the CSS claims and cases, and the email addresses of Microsoft employees.
The research team led by security researcher Bob Diachenko discovered five Elasticsearch servers where the information was stored. Upon discovery, it became apparent that the data covered a significant time period, spanning 14 years from 2005 to December 2019, with full logs of discussions between customers and internal Microsoft support agents.
The huge cache of information was unsecured for around two days before Comparitech were able to alert Microsoft, who then secured the data. Eric Doerr, General manager of Microsoft expressed his gratitude, saying “we’re thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyse data, and notify customers as appropriate.”
This is not the first time Microsoft have been caught out from a security perspective. The company were also breached in 2013 when hackers gained access to a secret database used for tracking buts in its software.
While significant chunks of the PII was redacted from the records, this could still have posed serious problems for Microsoft customers. This breach is custom made for Tech Support Scams for example, which involve a cybercriminal posing as a support employee. These scams are successful even without the relevant information, so the addition of people’s specific issues with Microsoft products would be a huge assistance to criminals attempting this kind of scam.