The software giant had left a search database exposed without security protections. The address of the customer service page was unpublished, but by altering the numerical IP (Internet Protocol) addresses of known Microsoft Web sites, a security enthusiast located it and found himself with access to an unknown number of customer service records.
Each exposed record included the customer's name, purchasing history, shipping address, billing address, phone numbers, e-mail address and credit card type. It did not include the actual credit card number.
"We were notified of this, we fixed the problem, and we're reviewing our internal systems to make sure proper procedures are followed to make sure this doesn't happen again," Microsoft representative Jim Desler said Wednesday. "This was a case of human error, and we will remain vigilant in our efforts to protect customer information and will not accept any breakdowns or failures in this process."
Adrian Lamo, who discovered the unprotected page, has exposed other embarrassing security gaffes by Internet giants. Last month, Lamo succeeded in breaking into Yahoo's news production tools and altering news stories. Prior to that, Excite@Home credited him with helping them shore up their customer records, which had been vulnerable to exposure.
Lamo said Microsoft fixed the hole within an hour of notification by news Web site NewsBytes.