Over the New Year, Microsoft exposed nearly 250 million Customer Service and Support (CSS) records on the web. The records contained logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019. All of the data was left accessible to anyone with a web browser, with no password or other authentication needed.
The Comparitech security research team led by Bob Diachenko uncovered five Elasticsearch servers, each of which contained an apparently identical set of the 250 million records. Diachenko immediately notified Microsoft upon discovering the exposed data, and Microsoft took swift action to secure it.
“We’re thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyze data, and notify customers as appropriate.”
– Eric Doerr, General Manager, Microsoft
Timeline of the exposure
In total, the data was exposed for about two days before we alerted Microsoft and the records were secured.
- December 28, 2019 – The databases were indexed by search engine BinaryEdge
- December 29, 2019 – Diachenko discovered the databases and immediately notified Microsoft.
- December 30-31, 2019 – Microsoft secured the servers and data. Diachenko and Microsoft continued the investigation and remediation process.
- Jan 21, 2020 – Microsoft disclosed additional details about the exposure as a result of the investigation.
„I immediately reported this to Microsoft and within 24 hours all servers were secured,“ Diachenko said. „I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve.“
We do not know if any other unauthorized parties accessed the database during that time.
What data was exposed?
Diachenko explains that most of the personally identifiable information—email aliases, contract numbers, and payment information—was redacted. However, many records contained plain text data, including but not limited to:
- Customer email addresses
- IP addresses
- Descriptions of CSS claims and cases
- Microsoft support agent emails
- Case numbers, resolutions, and remarks
- Internal notes marked as „confidential“
Dangers of exposed data to Microsoft customers
Even though most personally identifiable information was redacted from the records, the dangers of this exposure should not be underestimated. The data could be valuable to tech support scammers, in particular.
Tech support scams entail a scammer contacting users and pretending to be a Microsoft support representative. These types of scams are quite prevalent, and even when scammers don’t have any personal information about their targets, they often impersonate Microsoft staff. Microsoft Windows is, after all, the most popular operating system in the world.
With detailed logs and case information in hand, scammers stand a better chance of succeeding against their targets. If scammers obtained the data before it was secured, they could exploit it by impersonating a real Microsoft employee and referring to a real case number. From there, they could phish for sensitive information or hijack user devices.
Microsoft customers and Windows users should be on the lookout for such scams via phone and email. Remember that Microsoft never proactively reaches out to users to solve their tech problems—users must approach Microsoft for help first. Microsoft employees will not ask for your password or request that you install remote desktop applications like TeamViewer. These are common tactics among tech scammers.
Past Microsoft breaches and exposures
This isn’t Microsoft’s first data security incident.
In 2013, hackers broke into the company’s secret database for tracking bugs in its software. That breach didn’t include any user information and was never officially disclosed to the public, but Reuters confirmed the incident with five former employees.
Between January and March 2019, hackers compromised the account of a Microsoft support agent. The company said there was a possibility that the hacker accessed the contents of some Outlook users‘ accounts.
How and why we discovered this exposure
Comparitech collaborates with security researcher Bob Diachenko to find exposed databases on the web. Diachenko’s extensive cybersecurity experience allows us to quickly and responsibly disclose data breaches and exposures to responsible parties.
Once Diachenko discovers improperly secured data, he immediately takes steps to identify and notify the owner. Once the data has been secured, Comparitech publishes a report like this one.
We investigate the contents of the database to determine what information was exposed and to whom it belongs. Our goal is to mitigate harm to end users by limiting access to the data and raising awareness among those who might be impacted.
Comparitech and Diachenko have worked together on a number of data incident reports affecting millions of people, including:
- 267 million Facebook user IDs and phone numbers exposed online
- 2.7 billion exposed email addresses from mostly Chinese domains, 1 million of which included passwords
- Detailed personal records of 188 million people found exposed on the web
- 7 million student records exposed by K12.com
- 5 million personal records belonging to MedicareSupplement.com exposed to public
- 2.8 million CenturyLink customer records exposed
- 700k Choice Hotels customer records leaked