In a blog post on January 22, Microsoft disclosed that a misconfigured cloud database containing 14 years of customer support logs exposed millions of records with information such as email addresses, IP addresses and descriptions of customer support claims – leaving customers vulnerable to phishing and tech scams. Microsoft is currently in the process of notifying affected individuals.
With email addresses being leaked, customers should be vigilant for scam emails in the near future. Following breaches, victims may receive threatening emails demanding payment or other sensitive information. Some emails may seemingly appear innocuous, pretending to be from Microsoft support, meaning every email should be screened extra carefully.
Other personally identifiable information (PII) – email aliases (i.e., names), contract numbers and, crucially, payment information – was redacted, which Microsoft said is done via an automated privacy-check process. All five servers were exposed to the open internet, with no password required. Researcher Bob Diachenko, who collaborated with Comparitech on the discovery, notified Microsoft, which locked them down about two days after they were discovered, according to the posting.