Microsoft confirms it left millions of semi-redacted customer service records exposed

The company fixed the vulnerability within 24 hours of its being reported.

NurPhoto/NurPhoto/Getty Images

A misconfiguration in Microsoft’s customer support database left somewhere around 250 million records open and ripe for hacking, according to consumer research group Comparitech. Microsoft has since confirmed that the vulnerability existed in the system from December 5 to December 31 of last year.

Luckily the information was redacted — Microsoft’s confirmation speaks to the company’s policy of auto-redacting personal information from its support analytics database. The company’s investigation into the vulnerability also confirmed that “the vast majority” of records were cleared of enough personal information for it not to be a problem at all.

And Microsoft was quick on the uptake — Microsoft patched the vulnerability within 24 hours after being notified of its existence by Comparitech. Lead researcher Bob Diachenko praised Microsoft for its responsiveness and quick turnaround on the issue, despite it being reported on New Year’s Eve.

Microsoft has also stated that it is taking action to ensure a similar vulnerability does not rear its head in the future. The company is expanding the scope of its auto-redaction rules, adding extra alerts to service teams when rules are misconfigured, and auditing other established network security rules.

Some data could have been stolen, though — Microsoft did not release numbers of customers who may have been affected by the vulnerability. However, Comparitech notes that any stolen data could be used to run phishing and other scams on Microsoft customers by impersonating service agents. Microsoft says it’s notifying any customers whose data would have been available.