Microsoft has alerted users to a massive data breach that exposed approximately 250 million customer service support (CSS) records. The breach was discovered December 29 by a Comparitech security research team led by Bob Diachenko. Microsoft disclosed the security lapse on January 22, blaming it on a “misconfiguration of an internal customer support database used for Microsoft support case analytics.”
The exposed data included logs of conversations between Microsoft support personnel and customers from across the globe, spanning a 14-year period from 2005 to 2019. The data was visible to “anyone with a web browser” and no password or authentication were required to view the data. After being notified of the breach by Comparitech, Microsoft took action to secure the data.
Microsoft said its investigation found “no malicious use” of user data occurred and that customers did not have their personally identifiable information (PII) exposed. However, Comparitech noted that some information, such as email and IP addresses, was stored in plain text. Someone accessing the logs could have used the information they contained to impersonate the company’s support staff in a phishing scheme.
Comparitech researcher Paul Bischoff wrote in a posting Wednesday that the customer data trove contained everything a cybercriminal would need to mount a convincing and large-scale fraud effort.
“The data could be valuable to tech support scammers, in particular,” he said. “Tech support scams entail a scammer contacting users and pretending to be a Microsoft support representative. These types of scams are quite prevalent, and even when scammers don’t have any personal information about their targets, they often impersonate Microsoft staff. Microsoft Windows is, after all, the most popular operating system in the world.”