Microsoft exposed nearly 250 million customer records, spanning 14 years, by making the data accessible to anyone with a web browser.
Comparitech researchers discovered the massive batch of exposed data that contained customer support logs and other sensitive information, which could have been used to aid phishing attacks on Microsoft customers. The leaked data includes IP and physical addresses, customer emails as well as descriptions of customer service claims and cases.
“The data could be valuable to tech support scammers, in particular. Tech support scams entail a scammer contacting users and pretending to be a Microsoft support representative. These types of scams are quite prevalent, and even when scammers don’t have any personal information about their targets, they often impersonate Microsoft staff,” said a Computech researcher Paul Bischoff.
The data was available on five servers without any form of password protection for 25 days during the holiday season. Microsoft determined that the exposure was enabled by a change made to the database’s network security group that contained misconfigured security rules.
The tech giant took swift action to secure that data after being notified by the Comparitech security research team. The two companies said there was no indication as to whether the data was accessed by third parties.