Because of an error Microsoft he left exposed online millions of data relating to the assistance and internal support service. The same company revealed it in a post on the official blog: the problem was first discovered by a team of security researchers led by Bob Diachenko, with the database exposed on the web that it had as many as 250 million recorded entries from the help desk and support logs.
According to what Microsoft said, the database was made available online due to an error: in this case, the company speaks of aincorrect configuration in the safety rules because of some changes made on December 5th. Although the problem emerged during the holidays, Microsoft was able to repair the error with relative speed, given that all data were secured on December 31st.
The data contained information related to conversations between customers and Microsoft support teams, and it is data that typically Microsoft technicians collect in log files as part of the standard procedure adopted by the company. Some data, however, have not been encrypted, including sensitive information such as e-mail addresses useful for customers or technicians, IP addresses, geographical positions, confidential internal notes.
As reported by the research team that discovered the security problem, the information could be used by malicious actors, all of whom they can pretend to be an official Microsoft help desk employee to obtain private data from users. In practice, however, Microsoft has stated that it has not discovered any evidence of improper use of the data and is committed to preventing this type of situation from happening again.
The company has started to implement a series of procedures that provide for a more direct control of the security of the network on site, additional warnings when incorrect configurations are put in place and the implementation of automated review activities. The company has privately notified all customers whose data has been exposed without protection.