250 million Microsoft customer support records, over a decade’s worth, have been compromised, accessible online through an unsecured database.
What Types of Customer Accounts Were Compromised?
Largely, the compromised databases were under the umbrella of customer service – detailing routine customer support queries and tickets. Around 250 million records were compromised. The documented period went from 2005 to 2019.
They were not password or user protected. Essentially, they were unlocked and accessible to anyone with a free copy of a web browser.
Microsoft suggests users forward any phishing contact to them in the documentation for multiple pieces of software, including the Microsoft Office suite.
What Information Was Included:
- Email addresses
- IP addresses
- Physical Locations
- Support ID numbers
- Claim/Case numbers
- Claim/Case resolutions
- Claim/Case notes
What Information Wasn’t Included:
- Payment card numbers
- Customer phone numbers
- Customers’ personal identification information
What is the Status of the Breach?
It isn’t well known if cybercriminals accessed the database or not before the loophole was closed.
On December 28th, the security loophole was discovered by Comparitech, using the search engine BinaryEdge, which searches for and indexes security risks on the surface web.
Within 24 hours after being alerted, Microsoft had closed the loophole.
Microsoft has cited that no evidence was found that the unsecured information has been used maliciously. According to Microsoft, lapsed security rules on December 5, 2019 opened access to the database. This remained until December 31, when it was corrected.
Some have criticized Microsoft for storing customer support dialogues from so long ago, citing that it creates a great environment for a breach to occur, with so much information sitting in one spot unguarded.
Want to join in the conversation? Talk with us on social media!
Facebook: https://www.facebook.com/secfirstit/
LinkedIn: https://www.linkedin.com/company/securityfirstit
Hashtags: #microsoft leak #leaked #microsoft leaks #microsoft data leak #microsoft 10x leaks #microsoft (business operation) #microsoft customer records leak #microsoft apps
What Happens Now?
Unfortunately, the information that was leaked is valuable to phishing scammers. The leaked information can be used to spoof Microsoft support tickets, in order to collect information from unsuspecting victims. Microsoft suggests users forward any phishing contact to them in the documentation for multiple pieces of software, including the Microsoft Office suite.
Having trouble finding trustworthy IT support?
Please contact us to schedule a consultation.