250 million Microsoft customer service records briefly exposed online: report
Almost 250 million records of Microsoft customer service and support reports, including locations and email addresses, were briefly exposed online in late December before the vulnerability was patched, a report published Wednesday found.
Consumer research group Comparitech found that records of conversations between Microsoft support employees and customers around the world spanning 14 years, from 2005 through the end of 2019, were left exposed on five separate servers between Dec. 28 and 29.
This information was accessible during that time to anyone with a web browser, and included customer email addresses, locations, IP addresses, case numbers and confidential internal notes on cases.
Comparitech researchers informed Microsoft of their findings, with Microsoft then patching the vulnerability that left the customer service records open between Dec. 30 and 31.
Microsoft General Manager Eric Doerr said in a statement on Wednesday that the company was “thankful” for the team at Comparitech alerting them to the issue, and that Microsoft was able to “quickly fix this misconfiguration, analyze data, and notify customers as appropriate.”
Comparitech noted that they did not know if anyone besides their researchers gained access to the servers while they were exposed.
The company warned that if anyone with malicious intent did gain access, the information could help them run scams on people with Microsoft products by impersonating customer service agents.
The team that discovered the vulnerability was led by security researcher Bob Diachenko, who praised Microsoft’s quick response in regards to patching the vulnerability that allowed the records to be exposed.
“I immediately reported this to Microsoft and within 24 hours all servers were secured,” Diachenko said in a statement. “I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve.”
Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.