Microsoft may not be starting the year on the right foot, at least as far as security is concerned. Just last week the NSA of all people disclosed a critical Windows 10 vulnerability which was followed by a US-CERT report of an actively exploited Internet Explorer security bug. Microsoft’s security mishap, however, may have gone even further back, extending up to New Year’s Eve when it was discovered its Customer Support system was leaking millions of users’ records on the Web.
Security researcher Bob Diachenko, working with Comparitech security, discovered servers that contained similar records of more than 250 million customers that they were able to trace back to Microsoft’s Customer Service and Support (CSS) system. The source was apparently a database that was left open to anyone with a web browser, with no need for passwords or authentication.
Personally identifiable information or PII were fortunately redacted in those records but they still contained more than enough information to cause harm to affected customers. The 250 million records included logs of conversations with Microsoft support representatives, email addresses, and even the email addresses of Microsoft’s own support agents.
To its credit, Microsoft at least acted swiftly to plug up the hole despite the holidays, though it is only now that all parties are disclosing the incident. Considering this isn’t Microsoft’s first tango with a database breach, it’s still disappointing that it would make such a glaring simple blunder.
Comparitech warns customers who have used Microsoft’s customer support to be on guard for potential tech support scams. As a policy, Microsoft never contacts customers and waits for customers to reach out to them first for technical issues. Microsoft has not revealed what actions it will take to protect those affected.