Microsoft Admits Data Breach Exposed Details of 250 Million Users
Microsoft is the latest technology major to report a data breach incident, which is likely to have affected over 250 million of its users from across the globe.
The breach was first reported by Bob Diachenko, who is part of the security research team at Comparitech, who mentioned that all of the Microsoft customers' data was accessible to anyone with a web browser, with no password or other authentication needed.
Microsoft claims that it hasn’t found any malicious use case of the breached data, and it was merely being transparent about the incident with all its customers.
“While the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable.”
On the other hand, the Comparitech report says, it found unsecured data of over 250 million users online, “containing logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019.” The security research firm also confirms Diachenko alerted Microsoft about this breach, which was then fixed by the company’s people.
“Diachenko immediately notified Microsoft upon discovering the exposed data, and Microsoft took swift action to secure it.”
The report also points out the breach was left unattended for about two days between 28 and 30 December.
What Data Was Breached?
Comparitech said that while personal details like email address, payment information were redacted, the following data was left vulnerable for anyone to access in plain text format.
- Customer email address
- IP address
- Microsoft support agent mails
- Description of customer support service and cases
These details, according to the security firm, may not sound a lot but with basic information like customer email address, scammers could reach out to these affected users and look to gather more details from these people.
With detailed logs and case information in hand, scammers stand a better chance of succeeding against their targets. If scammers obtained the data before it was secured, they could exploit it by impersonating a real Microsoft employee and referring to a real case number. From there, they could phish for sensitive information or hijack user devices.
Beware of Scammers
The guys at Comparitech advise that Microsoft customers and Windows users should be wary of phone calls and emails, specifically being addressed from Microsoft.
It points out, “Microsoft never proactively reaches out to users to solve their tech problems "users must approach Microsoft for help first.”
The breach details don’t tell us which countries were majorly affected, but since Comparitech has used the word, across the globe, it is possible users from India are also part of the list whose data has been exposed.