Microsoft Apologizes After Exposing 250 Million Customer Records In Major Privacy Facepalm

by Brandon Hill — Wednesday, January 22, 2020, 11:20 AM EDT

Microsoft is coming under fire for a breach in customer privacy after it was revealed that the records of 250 million customers were exposed late last year. The data leak was initially reported on by security firm Comparitech, which found the information spread across five Elasticsearch servers.

According to Comparitech, all five servers contained identical information from the 250 million customer records. The scope of the data unearthed was vast, covering a time period spanning from 2005 through December 2019. And what's even more unsettling is that this information was publicly indexed, meaning that anyone could access the information.

Information that was exposed included customer email addresses, IP addresses, descriptions of ongoing claims and cases, email addresses of Microsoft support representatives, location data, and "confidential" internal notes penned by Microsoft support reps. Fortunately, personally-identifiable data like contract numbers and payment information was scrubbed from the records.

Still, the leaked information could prove valuable to ubiquitous tech support scammers that are a thorn in the sides of PC users -- particularly older Windows customers. These scammers often impersonate Microsoft support staff in order to persuade their victims into signing up for paid services. As the security firm explains:

With detailed logs and case information in hand, scammers stand a better chance of succeeding against their targets. If scammers obtained the data before it was secured, they could exploit it by impersonating a real Microsoft employee and referring to a real case number. From there, they could phish for sensitive information or hijack user devices.

Comparitech reports that it first discovered the publicly-accessible data on December 29^th -- the day after it was first indexed by BinaryEdge -- and immediately contacted Microsoft.

"Within 24 hours all servers were secured,” writes Comparitech security researcher Bob Diachenko. “I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve.”

For its part, Microsoft attributed the breach to an "access misconfiguration" and that it "found no malicious use" of the data. The company went on to add that "This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services."

"We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence," Microsoft concluded.

Tags: Microsoft, security, Privacy, breach, (nasdaq:msft), comparitech

Brandon Hill

Brandon received his first PC, an IBM Aptiva 310, in 1994 and hasn’t looked back since. He cut his teeth on computer building/repair working at a mom and pop computer shop as a plucky teen in the mid 90s and went on to join AnandTech as the Senior News Editor in 1999. Brandon would later help to form DailyTech where he served as Editor-in-Chief from 2008 until 2014. Brandon is a tech geek at heart, and family members always know where to turn when they need free tech support. When he isn’t writing about the tech hardware or studying up on the latest in mobile gadgets, you’ll find him browsing forums that cater to his long-running passion: automobiles.

Opinions and content posted by HotHardware contributors are their own.

Which New GPU Is For You?

Stay updated with the latest news and updates. Subscribe to our newsletter!

Subscribe Now