October 10, 2001 12:50 PM PDT

Microsoft closes window to customer data

Related Stories

Yahoo News hacked, story changed

September 20, 2001

Hacker helps Excite@Home toughen defenses

May 29, 2001
Microsoft moved swiftly this week to close a security gap in its customer service Web site that let anyone with a browser view customers' sales records and other confidential information.

The software giant had left a search database exposed without security protections. The address of the customer service page was unpublished, but by altering the numerical IP (Internet Protocol) addresses of known Microsoft Web sites, a security enthusiast located it and found himself with access to an unknown number of customer service records.

Each exposed record included the customer's name, purchasing history, shipping address, billing address, phone numbers, e-mail address and credit card type. It did not include the actual credit card number.

"We were notified of this, we fixed the problem, and we're reviewing our internal systems to make sure proper procedures are followed to make sure this doesn't happen again," Microsoft representative Jim Desler said Wednesday. "This was a case of human error, and we will remain vigilant in our efforts to protect customer information and will not accept any breakdowns or failures in this process."

Adrian Lamo, who discovered the unprotected page, has exposed other embarrassing security gaffes by Internet giants. Last month, Lamo succeeded in breaking into Yahoo's news production tools and altering news stories. Prior to that, Excite@Home credited him with helping them shore up their customer records, which had been vulnerable to exposure.

Lamo said Microsoft fixed the hole within an hour of notification by news Web site NewsBytes.


Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.