Microsoft recently announced a data breach affecting one of its customer databases and exposing millions of records, including the personally identifying information (PII) of some customers who may have used Microsoft support since 2005.

Between Dec. 5 and Dec. 31, a change made to an internal customer support database’s network security contained misconfigured security rules, which left the database exposed and unsecured. Consumer website Comparitech, which claims to have discovered the unsecured data and reported the breach to Microsoft, said that 250 million records were exposed.

The exposed records include customer support records and logs that contained conversations between Microsoft support employees and customers all over the world, including records generated between 2005 and December 2019. According to Microsoft, PII in the database was automatically redacted from the majority of records.

However, the data may not have been redacted if it was not formatted in a specific way. For example, an email address would not have been redacted if a space was accidentally transposed as Microsoft’s automated redaction tool would not have known to redact the address with the extra space.

Microsoft officials stated they have started to notify affected customers who may have had their personal information, such as email addresses, exposed. They did not indicate how many customers were affected or what percentage of the records contained unredacted information.

According to Microsoft officials, they have secured the database and are taking the following steps to fix the problem:

  • Auditing established security protocols.
  • Expanding the scope of the tools that detect misconfigured security rules.
  • Expanding the alerts that notify service teams of misconfigured security rules.
  • Expanding automated redaction tools.

Most customers affected the breach have already been notified.

Microsoft officials said there is no evidence of malicious use. However, scammers may still try to take advantage of this news by sending out phishing information. If you receive messages from a source that claims to be with Microsoft support and directs you to click a link, download an attachment, call a phone number or provide personal information, you should not follow the instructions. Instead, navigate to Microsoft’s website yourself and contact them via official channels to verify if you have been affected or not.