Microsoft accidentally exposed 250 million customer records — What you should know

• 250 million Microsoft customer records were exposed on an online database without password protection.
  
• The exposed information included customer records from 2005 to December 2019. Exposed customer service and support logs included conversations between Microsoft support agents and customers.
• Most personally identifiable information was redacted, although some customer email addresses, IP addresses, geographical locations, and other data were exposed.
• Comparitech security researchers led by Bob Diachenko found the breach and notified Microsoft. Microsoft secured its database within 24 hours.
• The risk? Cybercriminals could use the exposed information in tech-support scams or phishing scams.

What data was exposed?

Most of the information exposed were customer service and support logs. Companies often keep this information as a record of conversations with customers.

In the Microsoft breach, most personally identifiable information was redacted from the records — meaning it was removed.

For some customers, additional information was exposed. Here’s what may have been included in those cases.

• Customer email addresses.
• IP addresses.
• Microsoft support agent emails.
• Case numbers and resolutions.
• Internal notes marked as confidential.

How do I protect against tech support scams?

Here are some tips to help protect yourself against tech support scams.

• Keep in mind most large corporations, including Microsoft, will not reach out to you about your tech problems. You have to initiate the communication. If someone is reaching out proactively, be suspicious. Even if they are following up on a recent, coincidental call of yours, hang up the phone. Call back the official support number on the company page – and not a number that was sent to you.
• If the inquiry is over email, be careful about the source and destination of the incoming message. Do not share personally identifiable information over email. Most large companies will never ask for your password or other PII (Personal Identifiable Information) over email – and possibly not even over the phone. Most large companies have more secure methods of authenticating users.
• Report any suspicious activity to the company. This will help the company remediate the situation.
• If passwords were exposed in a data breach, it’s a good idea to change your password in the relevant account. If you used the same password for any other accounts, change those passwords, too. It’s smart to use a unique, complex passwords for each of your accounts.

What was the timeline on the Microsoft breach?

Comparitech, the company that found the Microsoft data breach, said the data was exposed for about two days. The company included this timeline in a blog post.

• December 28, 2019 – The databases were indexed by search engine BinaryEdge.
• December 29, 2019 – Comparitech researcher Bob Diachenko discovered the databases and notified Microsoft.
• December 30-31, 2019 – Microsoft secured the servers and data. Diachenko and Microsoft continued the investigation and remediation process.
• Jan 21, 2020 – Microsoft disclosed additional details about the exposure as a result of the investigation.

What is Microsoft doing?

Microsoft said it concluded an investigation into a “misconfiguration of an internal customer support database used for Microsoft support case analytics.” The company said it is taking these steps.

• Sending notifications to customers whose data was affected by the data breach.
• Taking action to prevent future occurrences of this issue.
• Auditing the established network security rules for internal resources.
• Expanding the scope of the mechanisms that detect security rule misconfigurations.
• Adding additional alerting to service teams when security rule misconfigurations are detected.