Emerging Threats

Microsoft accidentally exposed 250 million customer records — What you should know

  • 250 million Microsoft customer records were exposed on an online database without password protection.
  • The exposed information included customer records from 2005 to December 2019. Exposed customer service and support logs included conversations between Microsoft support agents and customers.
  • Most personally identifiable information was redacted, although some customer email addresses, IP addresses, geographical locations, and other data were exposed.
  • Comparitech security researchers led by Bob Diachenko found the breach and notified Microsoft. Microsoft secured its database within 24 hours.
  • The risk? Cybercriminals could use the exposed information in tech-support scams or phishing scams.

Microsoft has acknowledged an access misconfiguration where 250 million customer records were exposed on a database without password protection.

The exposed records — including conversations with customers and Microsoft support agents — date from 2005 to December 2019.

The exposed information could raise the risk of tech-support scams targeting Microsoft customers. Scammers might be able to use the information to pretend they’re Microsoft support agents and try to trick customers into sharing their personal information.

Microsoft said there in no evidence that cybercriminals accessed the exposed information.

What data was exposed?

Most of the information exposed were customer service and support logs. Companies often keep this information as a record of conversations with customers.

In the Microsoft breach, most personally identifiable information was redacted from the records — meaning it was removed.

For some customers, additional information was exposed. Here’s what may have been included in those cases.

  • Customer email addresses.
  • IP addresses.
  • Microsoft support agent emails.
  • Case numbers and resolutions.
  • Internal notes marked as confidential.

“The added information could make you at risk of tech support scams pretending to be Microsoft. How? Scammers may have accessed lists of Microsoft customers and their emails addresses.”

How do I protect against tech support scams?

Here are some tips to help protect yourself against tech support scams.

  • Keep in mind most large corporations, including Microsoft, will not reach out to you about your tech problems. You have to initiate the communication. If someone is reaching out proactively, be suspicious. Even if they are following up on a recent, coincidental call of yours, hang up the phone. Call back the official support number on the company page – and not a number that was sent to you.
  • If the inquiry is over email, be careful about the source and destination of the incoming message. Do not share personally identifiable information over email. Most large companies will never ask for your password or other PII (Personal Identifiable Information) over email – and possibly not even over the phone. Most large companies have more secure methods of authenticating users.
  • Report any suspicious activity to the company. This will help the company remediate the situation.
  • If passwords were exposed in a data breach, it’s a good idea to change your password in the relevant account. If you used the same password for any other accounts, change those passwords, too. It’s smart to use a unique, complex passwords for each of your accounts.

What was the timeline on the Microsoft breach?

Comparitech, the company that found the Microsoft data breach, said the data was exposed for about two days. The company included this timeline in a blog post.

  • December 28, 2019 – The databases were indexed by search engine BinaryEdge.
  • December 29, 2019 – Comparitech researcher Bob Diachenko discovered the databases and notified Microsoft.
  • December 30-31, 2019 – Microsoft secured the servers and data. Diachenko and Microsoft continued the investigation and remediation process.
  • Jan 21, 2020 – Microsoft disclosed additional details about the exposure as a result of the investigation.

In a blog post, Microsoft wrote, “We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence. We also want to thank the researcher, Bob Diachenko, for working closely with us so that we were able to quickly fix this misconfiguration, investigate the situation, and begin notifying customers.”

What is Microsoft doing?

Microsoft said it concluded an investigation into a “misconfiguration of an internal customer support database used for Microsoft support case analytics.” The company said it is taking these steps.

  • Sending notifications to customers whose data was affected by the data breach.
  • Taking action to prevent future occurrences of this issue.
  • Auditing the established network security rules for internal resources.
  • Expanding the scope of the mechanisms that detect security rule misconfigurations.
  • Adding additional alerting to service teams when security rule misconfigurations are detected.

A major data breach is a reminder that cybercriminals who access exposed data, which sometimes can include PII, can use it for a variety of crimes, including identity theft. It’s also important to know that many of these crimes can occur years after a breach.

More than 50 million customers trust Norton with their personal information.

Your partner against cyber threats. Norton 360™ with LifeLock™, all-in-one protection against evolving threats to your connected devices, online privacy and identity.

Try Norton 360 with LifeLock. Post, bank and shop from your device. We’ll keep it secure.

Editorial note: Our articles provide educational information for you. NortonLifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Copyright © 2022 NortonLifeLock Inc. All rights reserved. NortonLifeLock, the NortonLifeLock Logo, the Checkmark Logo, Norton, LifeLock, and the LockMan Logo are trademarks or registered trademarks of NortonLifeLock Inc. or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.