Those users who have contacted Microsoft for support in the past 14 years are likely to have their technical query and some personally identifiable information compromised.
Microsoft revealed about a security incident which exposed almost 250 million “Customer Service and Support” (CSS) records on the Internet due to a misconfigured server containing logs of conversations between its support team and customers.
Bob Diachenko, a cybersecurity researcher who found the unprotected database and reported to Microsoft said that the logs contained records from 2005 to December 2019.
Microsoft confirmed in a blog post that it was due to misconfigured security rules added to the server in question on December 5, 2019, that the data was exposed. It was in use until engineers rectified the configuration on December 31, 2019.
Microsoft also stated that the database was altered using automated tools to remove the personally identifiable information of most customers, except in some cases where the information was not in the standard format.
According to Diachenko, many records in the leaked database contained readable data of the customers which includes email addresses, IP addresses, Locations, Descriptions of CSS claims and cases, Microsoft support agent emails, Case numbers, resolutions, and remarks and Internal notes marked as “confidential.”
Microsoft said that the issue was specific to an internal database used for support case analytics and that it does not represent an exposure of their commercial cloud services.
Since the real sensitive case information and email addresses of affected customers were exposed, the leaked data could be misused by tech-support scammers to trick users into paying for non-existent computer problems by impersonating Microsoft support representatives.
Due to this incident, the company began to notify the affected customers whose data was present in the exposed Customer Service and Support database.