Microsoft admits data leak of 250 mn records after customer service, support records were exposed

A data breach of 250 million Microsoft users has been brought to light by the Comparitech security research team, which is led by Bob Diachenko. The researchers found that 250 million Customer Service and Support records were exposed on the web. Microsoft has since acknowledged the data breach saying it was due to “misconfiguration of an internal customer support database”, which the company uses for tracking support cases. This includes logs of conversations between Microsoft support agents and customers of 14 years. The company says it fixed the vulnerability on 31 December 2019. [caption id=“attachment_7918501” align=“alignnone” width=“1024”]  Microsoft. Image: Reuters[/caption] The researchers reveal that most of the leaked data like “emails, contact numbers, and payment information” were redacted. However, a large portion of the leaked data reportedly was also in plain text, which included, but was not limited to, customer email addresses, IP addresses, locations, Microsoft support agent emails, case numbers, resolutions, and remarks and internal notes marked as “confidential”. On 21 January 2020, Microsoft published a blog, where it admitted the data breach. Ann Johnson, corporate vice president, Cybersecurity Solutions Group at Microsoft said that the investigation “found no malicious use”. “Although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and hold ourselves accountable,” she wrote in the blog. Microsoft also revealed that this breach was caused by a change made to the database’s network security group on 5 December 2019, which contained misconfigured security rules that enabled exposure of the data. “This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services.”