A new report has revealed that Microsoft has exposed nearly 250 million customer service and support records over a 14-year period.
On December 28, 2019, the Comparitech security research team led by Bob Diachenko uncovered five Elasticsearch databases which were indexed by the BinaryEdge search engine.
The 250 million records contained logs and conversations between customers and Microsoft support agents from across the globe, spanning a 14-year period from 2005 to December 2019.
Each database contained an “apparently” identical set of the 250 million records, to which they were left online with no passwords or any other authentication, thus accessible to anyone with a web browser.
Most personally identifiable information (PII) was redacted, however “many” records contained customer email addresses, IP addresses, locations, descriptions of CSS claims and cases, Microsoft support agent emails and more.
Despite most of the PII was redacted, there are still a vast amount of risks, with the data being valuable to tech support scammers.
“With detailed logs and case information in hand, scammers stand a better chance of succeeding against their targets. If scammers obtained the data before it was secured, they could exploit it by impersonating a real Microsoft employee and referring to a real case number. From there, they could phish for sensitive information or hijack user devices,” explained Paul Bischoff.
Diachenko notified Microsoft about the incident the day after it was discovered, to which the firm had secured the servers and data within 24 hours.
“We’re thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyze data, and notify customers as appropriate,” said Eric Doerr, General Manager, Microsoft.
The post #Privacy: Microsoft exposes 250 million customer records online appeared first on PrivSec Report.