Microsoft has confirmed a massive data breach affecting anonymised data held on its customer support database.
Up to 250 million records were exposed online between 5 and 31 December as a result of the tech giant failing to implement proper protections.
The information, which includes email addresses, IP addresses and support case details, was held on leaky Elasticsearch servers.
Security researchers at Comparitech discovered the vulnerability on New Year’s Eve and notified Microsoft, which worked quickly to fix the error.
What went wrong?
Microsoft says the error stems from a change it made to the databases’ network security group, causing misconfigured security rules.
“As part of Microsoft’s standard operating procedures, data stored in the support case analytics database is redacted using automated tools to remove personal information,” Microsoft said.
Unfortunately, some records that should have been redacted were missed. One reason this occurred is that the tool didn’t recognise email addresses that erroneously included a space – such as ‘name @gmail.com’.
Microsoft is fortunate that security researchers identified this error promptly, although it is worth remembering that if Comparitech found the leak it’s possible that a malicious actor may also have spotted it.
As such, we suggest taking caution should you receive an email supposedly from Microsoft in the coming weeks.
If a criminal hacker found the database, they’d have a bounty of contact details connected to Microsoft accounts. With that information, they could – for example – scam victims with bogus emails telling them to secure their account.