PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Oops! Microsoft Briefly Leaked 250M Customer Support Records

The records involved conversation logs between Microsoft support agents and customers across the globe, dating back to 2005. Most of the records were redacted of customer contact information, but not all.

Michael Kan
 & Michael Kan Principal Reporter

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS

Last month, Microsoft databases housing 250 million customer support records going back to 2005 were accidentally exposed on the open internet.

The records involved conversation logs between Microsoft support agents and customers across the globe, according to security researcher Bob Diachenko, who spotted the leak on Dec. 29 with the team at Comparitech.

Fortunately, most of the exposed records were redacted, stripped of customers' personal information, such as payment details. But in some cases, the logs still contained plain text data mentioning customers' email address, IP addresses, locations, as well as descriptions of the support claim.

The databases would've been extremely valuable for tech support scammers, who try to trick unsuspecting victims into thinking their computer is riddled with viruses. The records would've given them a launching pad to pose as Microsoft support agents, who could then refer to the old tech-support tickets to prove their legitimacy.

Not helping the matter was how anyone could access the exposed Microsoft servers via a web browser, no password needed. Diachenko reported the leak to Microsoft on the same day he discovered it, and the software giant patched the problem in two days.

"While the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable," Microsoft said in a blog post today.

The root of leak occurred on Dec. 5, when the company accidentally misconfigured the security rules around the servers, which were focused on "support case analytics." Microsoft said it uses automated tools to remove personal information from customer support records, but in some scenarios, the records can remain unredacted under "specific conditions."

"An example of this occurs if the information is in a non-standard format, such as an email address separated with spaces instead of written in a standard format (for example, 'XYZ @contoso com' vs 'XYZ@contoso.com'). We have begun notifications to customers whose data was present in this redacted database," the company added.

Microsoft adds it's taken action to prevent future accidental server misconfigurations. "We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database," the company said.

About Our Expert

Michael Kan

Michael Kan

Principal Reporter

My Experience

I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.

Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service.

I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.

I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I'm always eager to learn more, so please jump in the comments with feedback and send me tips.

The Best Tech I've Had:

  • My first video game console: a Nintendo Famicom
  • I loved my Sega Saturn despite PlayStation's popularity.
  • The iPod Video I received as a gift in college
  • Xbox 360 FTW
  • The Galaxy Nexus was the first smartphone I was proud to own.
  • The PC desktop I built in 2013, which still works to this day.

Read the latest from Michael Kan

Read full bio