For one of the first data leaks of the decade, Microsoft is not doing very well. The Mountain View company announces today that more than 250 million customer service recordings made between December 5 and December 31 has been leaked.
In a blog post, Microsoft announced that a configuration error following an update on its servers on December 5 opened a breach.
A breach that will have enabled the search engine BinaryEdge to index Microsoft databases. And therefore offer full access, without any password or username being required.
Spotted by the Comparitech security team on December 29, Microsoft was alerted the same day and set to work to secure the data. A blockage that ended two days later, on December 31, 2019.
Microsoft breach: Potentially sensitive data
The databases left open by Microsoft contained nearly 250 million records made during telephone calls to the company’s customer service, as well as all the files created subsequently.
Consequently, some textual data could be viewed in clear. This is particularly the case for email addresses, IP addresses, caller location, file numbers. In addition to even “confidential internal notes” – without further details.
For Comparitech, which therefore discovered the breach, the leaked data can then be used during major scamming phishing campaigns; hackers having at their disposal all the information necessary to impersonate Microsoft service agents.
To ensure that this does not happen again, Microsoft says it is determined to carry out a full audit of the security of its network.
Microsoft also says it’s committed to preventing this sort of situation from happening again. So it’s taking a number of steps. These include auditing the network security rules currently in place. In addition to adding additional alerts for when misconfigurations are detected. And also implementing more automated redaction. The company is also notifying any customers affected by this incident.