Microsoft cops to exposing customer data online

Microsoft has admitted to accidentally exposing more than 250 million customer support records in a data leak involving a misconfigured database.

Researchers at tech comparison website Comparitech recently uncovered five publicly accessible Elasticsearch servers online, each containing an identical set of the 250 million records.

The records contained logs of conversations between Microsoft support agents and customers worldwide dating back 14 years to 2005.

While most of the personally identified information was redacted, many records contained plain text data that included customer email address, IP addresses, locations, Microsoft support agent emails and other potentially sensitive information, Comparitech said.

According to Microsoft, an investigation into the leak has found no malicious use of the data.

The company has traced the leak to a change made to a database's network security group on 5 December which inadvertently contained misconfigured security rules. The configuration was altered on 31 December, restricting public access to the database.

While most identifying data was redacted using automated tools, Microsoft acknowledged that in a small amount of cases some sensitive data may have remained unredacted — such as email addresses typed out in a non-standard format. The company has started notifying customers who had unredacted data in the database.

Meanwhile, the company is taking actions to prevent a recurrence of such an incident, including auditing established network security rules for internal resources and expanding the scope of mechanisms in place to detect security rule misconfigurations.

Image credit: ©stock.adobe.com/au/Igor