Microsoft briefly exposed call center data on almost 250 million customers via several unsecured cloud servers late last year, according to researchers.

Bob Diachenko spotted the major privacy snafu a day after databases across five Elasticsearch servers were indexed by the BinaryEdge search engine on December 28.

Each contained a seemingly identical trove of Microsoft Customer Service and Support (CSS) records spanning a 14-year period. The records included phone conversations between service agents and customers dating back to 2005, all password-free and completely unprotected, according to Comparitech.

Most personally identifiable information (PII) was redacted from the records, but “many” apparently contained customer email and IP addresses, support agent emails and internal notes and descriptions of CSS cases.

This presented not just a phishing risk but a valuable collection of data for tech support scammers who impersonate call center agents from Microsoft and other companies to install malware on victim machines and steal financial data.

“With detailed logs and case information in hand, scammers stand a better chance of succeeding against their targets,” explained Comparitech’s Paul Bischoff.

“If scammers obtained the data before it was secured, they could exploit it by impersonating a real Microsoft employee and referring to a real case number. From there, they could phish for sensitive information or hijack user devices.”

However, Microsoft was praised for acting swiftly to lock down the exposed servers.

After being informed by Diachenko on December 29, the firm had secured all data by December 31.

Microsoft is just the latest in a long line of companies that have exposed sensitive consumer data through cloud misconfigurations.

These include Choice Hotels, Honda North America, Adobe and Dow Jones.

Sometimes the leaks come from suspected cyber-criminals. Back in December, over one billion email and password combos were exposed via an unsecured Elasticsearch database, with many collected from a previous 2017 breach.