Microsoft Records Endangered: 250 Million CSS Files Were Exposed

Microsoft seems to have made a major error in the closing days of 2019, as it somehow left more than 250 Customer Service and Support (CSS) records exposed to anyone on the web. The records, which contained logs of conversations between Microsoft customers and customer support, included files from the last 14 years, from 2005 to late 2019.

[NEW REPORT] Misconfigurations happen – no matter how big or secured a company is. Here is my new report. 250M+ million Microsoft's Customer Service and Support (CSS) records were exposed on the web. https://t.co/C1Ll0nT8vz

— Bob Diachenko (@MayhemDayOne) January 22, 2020

Furthermore, all of the exposed data was available to anyone, completely unencrypted, and with no need for a password or some other method of authentication. The files were then discovered by Comparitech security researchers, led by Bob Diachenko. Diachenko and his team discovered five Elasticsearch servers in total, each with an identical set of records, which they immediately reported to Microsoft. The data was exposed for around three days in total, from December 28th, when the databases were indexed by a search engine known as BinaryEdge, over December 29th, when the files were uncovered and researchers reported the leak. Microsoft then secured the servers and the files over December 30th and 31st, but they also started an investigation to determine how this has happened, as well as a remediation process, during which they notified affected individuals. Three weeks later, on January 21st, 2020, the company published the details of the investigation. Microsoft’s General Manager, Eric Doerr,  stated that the company is thankful to Diachenko and his team, and their efforts to help contain the situation. However, it remains unknown whether the data was accessed by an unauthorized third party. For the most part, the files that were revealed contained plain text data, such as customer email, Microsoft support staff email, IP addresses, locations, internal notes, descriptions of CSS cases, and more. While personally identifiable data was mostly redacted from the database, there is still a significant danger due to exposure, as the data could still be valuable to scammers.