Microsoft says it has wrapped up an investigation into a "misconfiguration of an internal customer support database" used for support case analytics, in which customer records were exposed.
"Our investigation has determined that a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data. Upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access," Microsoft stated in a blog post.
Bob Diachenko, a security researcher with Security Discovery, found the improperly configured database and notified Microsoft. According to Comparitech and its security team led by Diachenko, the misconfiguration affected five servers, each of which contained an identical set of 250 million records.
"I immediately reported this to Microsoft and within 24 hours all servers were secured," Diachenko said. "I applaud the MS support team for responsiveness and quick turnaround on this despite New Year's Eve."
Microsoft points out that the "vast majority of records were cleared of personal information," the result of using automated tools to redact certain info. However, that wasn't the case for every record.
Comparitech says "many records contained plain text data," including customer email addresses, IP addresses, locations, descriptions of support claims and cases, support agent emails, case numbers and remarks, and internal notes marked as "confidential."
"Even though most personally identifiable information was redacted from the records, the dangers of this exposure should not be underestimated. The data could be valuable to tech support scammers, in particular," Comparitech says.
The security firm is correct, as tech support scammers can use the kind of information that was exposed to contact individuals and spoof Microsoft support, citing actual case numbers and other details that only Microsoft should know about.
Tech savvy uses already know to be wary of unsolicited emails and phone calls. However, given this recent incident, now is a good time to remind any less savvy family members and friends to be on the lookout for these types of scams.
