While most people were out celebrating the start of a new year, Microsoft’s security teams were working overtime to close a potentially enormous security loophole. On Thursday, the company disclosed a database error that temporarily left approximately 250 million customer service and support records accessible to anyone with a web browser.
Security researcher Bob Diachenko and Comparitech discovered the vulnerability on December 29th. Microsoft quickly fixed the issue two days later. It says the exposure was caused by a “misconfiguration” of one of its internal customer support databases. The company claims it found no evidence of “malicious use.”
The server included conversation logs dating as far back as 2005 between Microsoft support personnel and customers from across the world. According to Comparitech, the database wasn’t password-protected.
Microsoft says the “vast majority” of personal data that was exposed was redacted. However, Comparitech notes some information, such as email and IP addresses, was stored in plain text. Had someone been able to access the logs, they could have used them to more easily impersonate the company’s support staff in a phishing scheme.
“We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence,” Microsoft said. The company has started notifying people whose data was stored on the database.
In the wake of this latest exposure, Microsoft says it plans to audit its internal security rules, as well as implement additional tools to redact sensitive user information automatically. It will also put in place new and expanded alerts to notify its service teams when it detects a security misconfiguration.
For Microsoft, this is its second major data security incident tied to its customer support system in a single year. In April 2019, the company disclosed that hackers had used a customer support representative’s credentials to breach the email accounts of some of its users. Ultimately, the issue in both cases is that internal support systems have almost unprecedented levels of access to user information, making them enticing targets to hackers. Dave Aitel, the chief security technology officer at Cyxtera, told Wired at the time of the Microsoft email breach, “support is a big security hole waiting to happen.”