A data breach of 250 million Microsoft users has been brought to light by the Comparitech security research team. The researchers found that 250 million Customer Service and Support records were exposed on the web.
Microsoft has admitted that it ‘accidentally’ made the service and support records of more than 250 million customers access to anyone with a web browser and connected to the world wide web. Albeit this was temporary. And it was because of a database error.
The researchers reveal that most of the leaked data like “emails, contact numbers, and payment information” were redacted. However, a large portion of the leaked data reportedly was also in plain text, which included, but was not limited to, customer email addresses, IP addresses, locations, Microsoft support agent emails, case numbers, resolutions, and remarks and internal notes marked as “confidential”.
“Our investigation has determined that a change made to the database’s network security group on December 5, 2019, contained misconfigured security rules that enabled exposure of the data. Upon notification of the issue, engineers remediated the configuration on December 31, 2019, to restrict the database and prevent unauthorized access. This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services,” says the official statement released by the Microsoft Security Response Center.
For Microsoft, this is the second major data security incident in the past year. In April 2019, the company had confirmed that hackers had accessed the customer support system and gotten their hands-on email accounts of some of its users.