Published: February 04, 2021
3 Minutes

Microsoft accidentally exposed 250 million customer records — What you should know


Steve Symanovich

Staff writer

+ More
A man alerting customers to an accidental security breach.
  • 250 million Microsoft customer records were exposed on an online database without password protection.
  • The exposed information included customer records from 2005 to December 2019. Exposed customer service and support logs included conversations between Microsoft support agents and customers.
  • Most personally identifiable information was redacted, although some customer email addresses, IP addresses, geographical locations, and other data were exposed.
  • Comparitech security researchers led by Bob Diachenko found the breach and notified Microsoft. Microsoft secured its database within 24 hours.
  • The risk? Cybercriminals could use the exposed information in tech-support scams or phishing scams.
Microsoft has acknowledged an access misconfiguration where 250 million customer records were exposed on a database without password protection.
The exposed records — including conversations with customers and Microsoft support agents — date from 2005 to December 2019.
The exposed information could raise the risk of tech-support scams targeting Microsoft customers. Scammers might be able to use the information to pretend they’re Microsoft support agents and try to trick customers into sharing their personal information.
Microsoft said there in no evidence that cybercriminals accessed the exposed information.

What data was exposed?

Most of the information exposed were customer service and support logs. Companies often keep this information as a record of conversations with customers.

In the Microsoft breach, most personally identifiable information was redacted from the records — meaning it was removed.

For some customers, additional information was exposed. Here’s what may have been included in those cases.

  • Customer email addresses.
  • IP addresses.
  • Microsoft support agent emails.
  • Case numbers and resolutions.
  • Internal notes marked as confidential.
“The added information could make you at risk of tech support scams pretending to be Microsoft. How? Scammers may have accessed lists of Microsoft customers and their emails addresses.”

How do I protect against tech support scams?

Here are some tips to help protect yourself against tech support scams.

  • Keep in mind most large corporations, including Microsoft, will not reach out to you about your tech problems. You have to initiate the communication. If someone is reaching out proactively, be suspicious. Even if they are following up on a recent, coincidental call of yours, hang up the phone. Call back the official support number on the company page – and not a number that was sent to you.
  • If the inquiry is over email, be careful about the source and destination of the incoming message. Do not share personally identifiable information over email. Most large companies will never ask for your password or other PII (Personal Identifiable Information) over email – and possibly not even over the phone. Most large companies have more secure methods of authenticating users.
  • Report any suspicious activity to the company. This will help the company remediate the situation.
  • If passwords were exposed in a data breach, it’s a good idea to change your password in the relevant account. If you used the same password for any other accounts, change those passwords, too. It’s smart to use a unique, complex passwords for each of your accounts.

What was the timeline on the Microsoft breach?

Comparitech, the company that found the Microsoft data breach, said the data was exposed for about two days. The company included this timeline in a blog post.

  • December 28, 2019 – The databases were indexed by search engine BinaryEdge.
  • December 29, 2019 – Comparitech researcher Bob Diachenko discovered the databases and notified Microsoft.
  • December 30-31, 2019 – Microsoft secured the servers and data. Diachenko and Microsoft continued the investigation and remediation process.
  • Jan 21, 2020 – Microsoft disclosed additional details about the exposure as a result of the investigation.
In a blog post, Microsoft wrote, “We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence. We also want to thank the researcher, Bob Diachenko, for working closely with us so that we were able to quickly fix this misconfiguration, investigate the situation, and begin notifying customers.”

What is Microsoft doing?

Microsoft said it concluded an investigation into a “misconfiguration of an internal customer support database used for Microsoft support case analytics.” The company said it is taking these steps.

  • Sending notifications to customers whose data was affected by the data breach.
  • Taking action to prevent future occurrences of this issue.
  • Auditing the established network security rules for internal resources.
  • Expanding the scope of the mechanisms that detect security rule misconfigurations.
  • Adding additional alerting to service teams when security rule misconfigurations are detected.
A major data breach is a reminder that cybercriminals who access exposed data, which sometimes can include PII, can use it for a variety of crimes, including identity theft. It’s also important to know that many of these crimes can occur years after a breach.
Laptop on table

Was yours one of the billions of records stolen through breaches in recent years?

LifeLock identity theft protection sees more threats to your identity, like your personal info on the dark web. And if you become a victim of identity theft, dedicated Identity Restoration Agents will work to fix it.

Start your protection now. It only takes minutes to enroll.

Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Microsoft accidentally exposed 250 million customer records — What you should know
A Microsoft security breach exposed 250 million customer records on a database without password protection. Learn more.
Read More
Uber Data Breach Affects 57 Million Rider and Driver Accounts
Uber Technologies, Inc. disclosed that hackers stole the personal information of some 57 million customers and drivers. Learn more.
Read More
Target Data Breach Victims Could Get Up to $10,000
Target's massive data breach hit during the 2013 holiday shopping season. The retailer is proposing to offer victims up to $10,000 each in damages.
Read More
How to Check If You're Affected by the Equifax Data Breach
It’s easy to find out if you were affected by the Equifax data breach by using a look-up tool. Find out how from LifeLock.
Read More

Start your protection,
enroll in minutes.

Get discounts, info, protection tips, and more.

Sign up for promotional emails.