Microsoft has today announced a data breach that affected one of its customer databases.
The blog article, entitled Access Misconfiguration for Customer Support Databases, admits that between 05 December 2019 and 31 December 2019, a database used for “support case analytics” was effectively visible from the cloud to the world.
Microsoft didn’t give details of how big the database was. However, consumer website Comparitech, which says it discovered the unsecured data online, claims it was to the order of 250 million records containing:
…logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019.
According to Comparitech, that same data was accessible on five Elasticsearch servers.
The company informed Microsoft, and Microsoft quickly secured the data.
Microsoft’s official statement states that “the vast majority of records were cleared of personal information,” meaning that it used automated tools to look for and remove private data.
However, some private data that was supposed to be redacted was missed and remained visible in the exposed information.
Microsoft didn’t say what type of personal information was involved, or which data fields ended up un-anonymised.
It did, however, give one example of data that would have been left behind: email addresses with spaces added by mistake were not recognised as personal data and therefore escaped anonymisation.
So if your email address were recorded as “email@example.com” your data would have been converted into a harmless form, whereas “name[space]@example.com” (an easy mistake for a support staffer to make when capturing data) would have been left alone.
Microsoft has promised to notify anyone whose data was inadvertently exposed in this way, but didn’t say what percentage of all records were affected.
What to do?
We don’t know how many people were affected or exactly what personal data was opened up for those users.
We also don’t know who else, besides Comparitech, may have noticed in the three weeks it was exposed, although Microsoft says that it “found no malicious use”.
We assume that if you don’t hear from Microsoft, even if you did contact support during the 2005 to 2019 period, then either your data wasn’t in the exposed database, or there wasn’t actually enough in the leaked database to allow anyone, including Microsoft itself, to identify you.
It’s nevertheless possible that crooks will contact you claiming that you *were* in the breach.
They might urge you to take steps to “fix” the problem, such as clicking on a link and logging in “for security reasons”, or to “confirm your account”, or on some other pretext.
Remember: if ever you receive a security alert email, whether you think it is legitimate or not, avoid clicking on any links, calling any numbers or taking any online actions demanded in the email.
Find your own way to the site where you would usually log in, and stay one step ahead of phishing emails!
16 comments on “Big Microsoft data breach – 250 million records exposed”
You guys should implement a ThumbsUp/ThumbsDown function for articles.
I don’t really have anything to add (except good work as usual), but PSA articles of this nature should hang out awhile in the “popular stories” section, which I couldn’t find a direct link to.
An upvote button could persistently prolong pertinent publications’ prominence, even those with paltry prologues.
Change “upvote button” in that last line to “pro-vote pushbutton”. 😉
Ah–a literally lost (lapsed?) alliterative amendment! Alas!
Even a promotion with no corresponding demotion would still allow visitors to give a digital “I concur–more folks should see this.” If plugins aren’t really offered in that way I’ll wager Mr. Stockley could hide the “disapprove” button with custom CSS, because I certainly see how some of the Negative Nellies could react poorly to some articles.
Maybe I’m overthinking this. …or maybe not. Wait…
What an interesting idea…
Thanks for the heads-up!
Guess this may be why I am unable to log onto my Microsoft surface pro suddenly???
Highly unlikely as I doubt passwords would of been part of this data.
I doubt that very much
No, they wouldn’t have your account security info. But it could explain the rash of spam email that suddenly seems to have gotten worse 🙁
Linux Mint in for the Win!
Yes, for a few months now I have had an increase in spam on my Hotmail account and some of them seem to know my name
Remember that this particular breach (assuming the data was downloaded by crooks at all) only started on 05 December 2019, so any ramp-up in spam from months before that couldn’t have been because of it…
Paul, you mean 2019 😉
Isn’t appearing as a data breach yet on haveibeenpwned.