On January 22 (local time), Microsoft announced that 250 million data were temporarily released on the web due to a customer database design mistake that was used to analyze the support case.
Microsoft explained that on December 5, last year, a change occurred in the database. Security researcher Bob Diachenko and Comparitech’s security investigation team, who noticed that the database had been released, reported this to Microsoft on December 29th, and Microsoft closed the revision on December 31st. .
According to Microsoft’s investigation, no signs of malicious use were found. The publicly available information includes interactions between the support center and customers, but personal information edited by numerous automated tools has been deleted. However, it is said that data that could not be resolved by automated tools, such as email addresses separated by spaces, remained as they were.
Even if it is mostly anonymized, if there is a malicious user who has obtained this data, it is possible to pretend to be Microsoft support and contact the customer to obtain personal information. Therefore, it is said that Microsoft individually notified users who were registered in the database. In addition, with this opportunity, Microsoft will take measures such as auditing security rules and implementing additional automatic editing tools.
It is rare for Microsoft to leak information on its own aside from Windows and browsers, but in fact, it was the second time in a year that support-related data was leaked. In April 2019, a hacker stole credentials from a support platform to access support-related email addresses and account data. Related information can be found here .
Add comment