Another day, another data breach but this time it involves the technology giant Microsoft. Apparently, the company exposed sensitive Customer Service and Support (CSS) records including conversations between Microsoft support agents and customers around the world.
These records were stored on a database indexed by the BinaryEdge search engine. In total Microsoft exposed 14 years’ worth of data with 250 million CSS records. This means records from 2005 to December 2019 were leaked online and left without any security authentication allowing the public to access it with just a web browser.
The data was discovered by CompariTech’s Bob Diachenko, a security researcher known for identifying exposed databases and reporting them respective owners to protect them from malicious access/use.
According to the company’s blog post, the data was left exposed for two days and contained a trove of sensitive information including:
1: Email IP addresses of Microsoft’s agents and customers
2: Location details of Microsoft’s customers
3: IP addresses of Microsoft’s customers
4: Descriptions of CSS claims and cases
5: Case numbers, resolutions, and remarks
6: Internal notes marked as confidential.
What’s noteworthy is that these records were exposed in clear-text format meaning it didn’t require any decryption. This type of leak is ideal for malicious hackers and online scammers who can use the data for tech support scams, blackmailing, identity theft/scam, BEC attack, phishing campaigns and even pose a physical danger to customers since their location was in the data.
However, the good news is that Diachenko contacted Microsoft about the breach on December 29, 2019, and the data was secured within 24 hours. It is yet unclear if the data was access by the third party or not.
In a blog post published earlier today, Microsoft apologized for the incident and wrote that,
Upon notification of the issue, engineers remediated the configuration on December 31, 2019, to restrict the database and prevent unauthorized access. This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services.
This is not the first time when a tech giant left sensitive data exposed to the public. Last year, a San Francisco based data broker called People Data Labs exposed a database with 1.2 billion people’s data without any password.
In May 2019, Freedom Mobile leaked millions of customers’ credit and debit cards online. The data also contained CVV codes in plain text.
The takeout here is that no matter how privacy-conscious you are, your data is always at risk and tech giants should be more vigilant than ever before especially when it comes to personal information of customers who trust them wholeheartedly.