What are you doing? .. Microsoft has quarter of a billion customer records exposed on the Internet

Throughout most of last December, Microsoft left about a quarter of a billion customer service and customer support records exposed on the Internet for anyone to see, according to security researchers who discovered this.

According to researchers working with the British technical news site Comparetec, they have discovered unprotected data consisting of five identical databases containing records of conversations between Microsoft's technical support agents and their customers.

Open records spanning 14 years (from 2005 to December 2019) included some customer email addresses, Internet Protocol addresses, websites, nature of complaints, case numbers, and email messages for technical support agents.

Microsoft said in a notice posted on its website that it had investigated "wrong settings in the internal customer support database", confirming that no malicious use of the data had been detected, but customers had "exposed personal identification information".

"We want to be transparent about this incident with all the clients and assure them that we take it seriously and hold ourselves accountable," she added.

The company asserts that the problem was limited to an internal database used for support case analyzes rather than commercial cloud services. According to the Toms Guide website on technical matters, this is extremely important because Microsoft requires modification of the data stored in the support case analytics databases so that personal information is removed.

As a result, "the vast majority of the records" did not contain personal information, including email addresses, most of which were modified.

What kind of information was left exposed?
Unfortunately, some data was left unchanged if it met certain conditions. Microsoft cited an example of non-standard format information, such as an email address that uses a hyphen (-) instead of a period (.) Before the word com.

But according to Comparetech, the types of data exposed extend beyond email addresses. According to security researcher Bob Dyashenko, "IP" addresses, websites, customer complaints descriptions, support agent messages, case numbers and internal notes marked "secret" were not protected in at least some cases.

Although truly sensitive data such as birth dates, credit card information, or email aliases have been modified or not entered in the first place, the exposed data can still be used by fraudsters who claim to be from technical support.

With this information, scammers can be more convincing when they randomly call people and claim to be legitimate technical support agents from Microsoft. For example, they can cite the actual case number obtained from the exposed database.

What can you do to protect yourself?
Microsoft has not found evidence of any harmful use of open data, and the information in databases is of moderate sensitivity. However, Microsoft customers should be cautious about email spoofing and technical support frauds.

And you must remember that Microsoft customers will never contact you proactively to inquire about your device, so you should be skeptical if you do not contact you first.