There’s yet another major data breach story coming in, this time via Microsoft. Apparently, over the New Year, Microsoft exposed nearly 250 million Customer Service and Support (CSS) records on the web. The records contained logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019. All of the data was left accessible to anyone with a web browser, with no password or other authentication needed.
The leak was uncovered by a Comparitech security research team led by Bob Diachenko, and shared with The Tech Portal. The team uncovered five Elasticsearch servers, each of which contained an apparently identical set of the 250 million records. Microsoft was immediately notified upon discovering the exposed data, and according to Comapritech, Microsoft ‘took swift action’ to secure it.
General Manager Eric Doerr at Microsoft said, “We’re thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyze data, and notify customers as appropriate.”
Diachenko explains that while most of the personally identifiable information—email aliases, contract numbers, and payment information—was redacted, there were many data points lying out in the open. Many records contained plain text data, including but not limited to: cstomer email addresses, IP addresses, locations, descriptions of CSS claims and cases, Microsoft support agent emails case numbers, resolutions, and remarks and internal notes marked as “confidential”
The data could be valuable to tech support scammers, in particular.
Tech support scams entail a scammer contacting users and pretending to be a Microsoft support representative. These types of scams are quite prevalent, and even when scammers don’t have any personal information about their targets, they often impersonate Microsoft staff. Microsoft Windows is, after all, the most popular operating system in the world.