The company says it found no proof of malicious use.
While most people were out rejoicing the start of a new year, Microsoft’s security teams were working tirelessly to close a possibly enormous security loophole. On Thursday, the company revealed a database error that briefly left about 250 million customer service and support records available to anyone with a web browser.
Security researcher Bob Diachenko and Comparitech found the vulnerability on December 29th. Microsoft quickly sorted out the issue two days later. It says the exposure occurred by a “misconfiguration” of one of its internal customer support databases. The company asserts it found no proof of “malicious use.”
The server had conversation logs dating as far back as 2005 between Microsoft support personnel and customers from around the world. According to Comparitech, the database was not password-protected.
Microsoft says the “vast majority” of personal data that was exposed was covered up. Though, Comparitech observes some information, such as IP and email addresses, was stored in plain text. Had somebody been able to access the logs, they could have used them to more easily imitate the company’s support staff in a hacking scheme.
“We want to genuinely apologize and assure our customers that we are taking it seriously and working persistently to learn and take action to avoid any future reoccurrence,” Microsoft said. The company has started informing people whose data was stored on the database.
As a result of this latest exposure, Microsoft says it intends to audit its internal security rules, as well as employ additional tools to redact sensitive user information mechanically. It will also put position new and expanded alerts to alert its service teams when it perceives a security misconfiguration.
For Microsoft, this is its second significant data security occurrence tied to its customer support system in a single year. In April 2019, the company revealed that hackers had used a customer support representative’s identifications to enter the email accounts of some of its users. Eventually, the issue in both cases is that internal support systems have almost unparalleled levels of access to user information, making them tempting targets to hackers. Dave Aitel, the chief security technology representative at Cyxtera, told Wired around the time of the Microsoft email hack, “support is a big security hole waiting to happen.”