Microsoft left customer service and support records exposed online, the company disclosed in a blog post today. The issue was first discovered by a team of security researchers led by Bob Diachenko, and the exposed database contained 250 million records from customer service and support logs.
According to Microsoft, the database was accidentally exposed as part of a misconfiguration in the security rules that happened as a result of a change made on December 5. The databases were then picked up by the BinaryEdge search engine on December 28, and Diachenko discovered them on December 29. Despite happening during the holiday season, Microsoft was quick to fix the issue, with the data being secured by December 31.
The data contained in the records referred to conversations between customers and Microsoft's support teams, and most of the data in the logs was redacted as part of Microsoft's standard procedures. However, some data may have been left in plain text, including information such as e-mail addresses for customers and support agents, IP addresses, locations, case numbers, and confidential internal notes. As noted by the research team that discovered the issue, this information can be used by ill-intentioned actors to impersonate Microsoft support agents to scam customers. However, Microsoft notes that it didn't find any evidence of malicious use of the data.
Microsoft also says it's committed to preventing this sort of situation from happening again, so it's taking a number of steps. These include auditing the network security rules currently in place, adding additional alerts for when misconfigurations are detected, and implementing more automated redaction. The company is also notifying any customers affected by this incident.