Microsoft has confirmed that between December 5th-31st 2019, a misconfiguration of the security rules for (what ought to have been) an internal customer assist database left it exposed for anyone to access – no password required.
According to researcher Bob Diachenko, who found the database was accessible to anybody capable of running a web browser, the almost 250 million Customer Service and Support (CSS) records contained logs of conversations between Microsoft’s support staff and customers around the world.
The information, which covers a period of 14 years from 2005 to December 2019, was found on five Elasticsearch servers, every of which contained what seems to have been an identical copy of the 250 million database data.
According to a blog post by Microsoft, the “vast majority of records” had been automatically redacted to take away some personal information.
Microsoft says its investigation into the safety breach has “discovered no malicious use” of the data, however, that it has begun to notify customers whose data was current in the unsecured database.