While much of the personally identifiable information was redacted, there was a wealth of data that could be used by scammers to call customers while pretending to represent Microsoft.
According to Bischoff, the records contained logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 up to December 2019.
The problem was discovered by the Comparitech security research team, led by security consultant Bob Diachenko. The team said that it discovered five Elasticsearch servers that appeared to host five identical sets of 250m records.
What data was exposed?
According to Comparitech, much of the personally identifiable information associated with the CSS records was redacted, however many of the records contained plaintext data.
The researchers said that this data included customer email addresses, IP addresses, locations, descriptions of CSS claims and cases, Microsoft support agent emails, case numbers, resolutions and remarks, as well as internal notes marked as ‘confidential’.
Bischoff wrote: “The dangers of this exposure should not be underestimated. The data could be valuable to tech support scammers, in particular.”
These are scammers that contact individuals under the guise of representing Microsoft. “With detailed logs and case information in hand, scammers stand a better chance of succeeding against their targets,” Bischoff added.
“If scammers obtained the data before it was secured, they could exploit it by impersonating a real Microsoft employee and referring to a real case number. From there, they could phish for sensitive information or hijack user devices.”
Comparitech reminded Microsoft customers to remain vigilant if they receive any unsolicited calls from Microsoft, as the company “never proactively reaches out to users to solve their tech problems”.
Solving the issue
The data was exposed after it was indexed by search engine BinaryEdge. Comparitech believes that this data was accessible for about two days in late December before Diachenko contacted Microsoft to report the problem, helping the company to take action.
Eric Doerr, general manager of the Microsoft security response team, said: “We’re thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyse data, and notify customers as appropriate.”
Diachenko said: “I immediately reported this to Microsoft and within 24 hours, all servers were secured. I applaud the MS support team for responsiveness and quick turnaround on this, despite New Year’s Eve.”
In an update today (22 January) Microsoft Security Response Center that it had concluded an investigation into the “misconfiguration of an internal customer support database”.
“While the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable,” it added.
This is one of a number of discoveries Diachenko has made and reported through Comparitech. His team’s past discoveries include finds such as 267m Facebook user IDs and phone numbers exposed online and 2.7bn exposed email addresses from mostly Chinese domains, 1m of which included passwords.