Popular researcher Bob Diachenko found an unprotected database containing over 250 million customer support records, including some personally identifiable information. The unprotected database contained support requests submitted to Microsoft from 2005 to December 2019.
A post published by Microsoft on January 22, 2020 says: “Today, we concluded an investigation into a misconfiguration of an internal customer support database used for Microsoft support case analytics. While the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable.”
Diachenko confirmed the presence of many records containing the following attributes:
- Customer email addresses
- IP addresses
- Locations
- Descriptions of CSS (Customer Service and Support) claims and cases
- Microsoft support agent emails
- Case numbers, resolutions, and remarks
- Internal notes marked as “confidential”
Most, but not all, personally identifiable information was redacted from the records.
Here is the timeline of the data breach:
- December 28, 2019: The databases were indexed by search engine BinaryEdge
- December 29, 2019: Diachenko discovered the databases and immediately notified Microsoft.
- December 30-31, 2019: Microsoft secured the servers and data. Diachenko and Microsoft continued the investigation and remediation process.
- January 21, 2020: Microsoft disclosed additional details about the exposure as a result of the investigation.
Read more about it here.