A non-secure server was discovered by Microsoft containing customer data for over 250M users. While no payment or credit card numbers were present for customers, there were sensitive fields that could be used in future support fake scam calls, emails, or website. Microsoft quickly fixed all issues & shares as awareness to it’s customers


Report: 250 million Microsoft customer service and support records exposed on the web

A new report reveals that 250 million Microsoft customer records, spanning 14 years, have been exposed online without password protection

Those records were customer service and support logs detailing conversations between Microsoft support agents and customers from across the world. Incredibly, the unsecured Elasticsearch servers contained records spanning a period from 2005 right through to December 2019. When I say unsecured, I mean that the data was accessible to anyone with a web browser who stumbled across the databases: no authentication at all was required to access them, according to the Comparitech report.

However, the researchers say that many contained plain text data including customer email addresses, IP addresses, geographical locations, descriptions of the customer service and support claims and cases, Microsoft support agent emails, case numbers and resolutions, and internal notes that had been marked as confidential. This may seem like no big deal in the overall scheme of things, but when you consider that Microsoft support scams are pretty rampant, it doesn’t take a genius to work out how valuable such information would be to the fraudsters carrying out such attacks.