Microsoft Security Shocker As 250 Million Customer Records Exposed Online
Microsoft exposed roughly 250 million customer service and support records in December 2019, according to this blog post by Comparitech. The leak was uncovered by a Comparitech team led by Bob Diachenko, who promptly notified Microsoft of the issue. The records, more specifically the databases that contained them, were indexed by the BinaryEdge search engine on Dec. 28. Within 24 hours, according to Diachenko, Microsoft had secured all servers.
Eric Doerr, general manager at Microsoft, had this to say about the incident:
We’re thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyze data, and notify customers as appropriate.
So exactly which Microsoft records were exposed? According to Comparitech, there was no leak of mail aliases, contact numbers, and payment information. This seems fine, however, there is a large cause for concern as the following was leaked: email addresses of Microsoft customers, IP addresses, individual locations, CSS claims and cases, email addresses of support agents, case information (like numbers and unique remarks), and internal confidential notes.
While it is great that Microsoft closed the leak quickly, the fact remains that for two whole days threat actors had access to private data. This data can easily be used in a plethora of ways, mostly in social engineering schemes which always have a margin of success. Even more damning for Microsoft, as Comparitech points out, this is the second private data incident of 2019 and the third in the 2010s decade. For a company as large and trusted as Microsoft, these incidents are inexcusable.
Though researchers are fairly certain that no other third-party actors accessed the databases, there is simply no way to guarantee this. Microsoft customers should be in defensive mode, more than usual at least, as various social engineering attacks (such as tech support scams) could be heading their way.
A new report reveals that 250 million Microsoft customer records, spanning 14 years, have been exposed online without password protection.
Microsoft has been in the news for, mostly, the wrong reasons recently. There is the Internet Explorer zero-day vulnerability that Microsoft hasn't issued a patch for, despite it being actively exploited. That came just days after the U.S. Government issued a critical Windows 10 update now alert concerning the "extraordinarily serious" curveball crypto vulnerability. Now a newly published report, has revealed that 250 million Microsoft customer records, spanning an incredible 14 years in all, have been exposed online in a database with no password protection.
What Microsoft customer records were exposed online, and where did they come from?
Paul Bischoff, a privacy advocate and editor at Comparitech, has revealed how an investigation by the Comparitech security research team uncovered no less than five servers containing the same set of 250 million records. Those records were customer service and support logs detailing conversations between Microsoft support agents and customers from across the world. Incredibly, the unsecured Elasticsearch servers contained records spanning a period from 2005 right through to December 2019. When I say unsecured, I mean that the data was accessible to anyone with a web browser who stumbled across the databases: no authentication at all was required to access them, according to the Comparitech report.
The nature of the data appears to be that much of the personally identifiable information was redacted. However, the researchers say that many contained plain text data including customer email addresses, IP addresses, geographical locations, descriptions of the customer service and support claims and cases, Microsoft support agent emails, case numbers and resolutions, and internal notes that had been marked as confidential. This may seem like no big deal in the overall scheme of things, but when you consider that Microsoft support scams are pretty rampant, it doesn't take a genius to work out how valuable such information would be to the fraudsters carrying out such attacks.
How was the Microsoft data exposure discovered, and how long did it take to lock down?
On December 28, 2019, the databases in question were discovered and indexed by threat intelligence search engine BinaryEdge. The following day, Bob Diachenko, who headed up the Comparitech security research team, spotted them and notified Microsoft. "I immediately reported this to Microsoft, and within 24 hours, all servers were secured," Diachenko said. Considering the time of year, this was a remarkably quick response. That said, it was also a remarkably serious leak.
Eric Doerr, general manager at the Microsoft Security Response Center, said: "We’re thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyze data, and notify customers as appropriate."
It's not known at this point if the databases were accessed by any else during the time that they were exposed online.
In a Microsoft Security Response Center posting dated January 22, Microsoft said that "the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable."
That posting also confirmed that the exposure of the database started on December 5, 2019, as the result of misconfigured security rules, and was remediated on December 31. The statement included an apology from Microsoft: "We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence."
It’s time for governments to start dropping the hammer on very preventable data breaches
I asked Ian Thornton-Trump, CISO at Cyjax and co-host of the BeerConOne virtual security conference, for his thoughts about this incident. "This is massive, and not unexpected to be honest," he said, "it just shows how difficult it is for anyone, even a giant tech company, to manage data and storage correctly."
Given that there has already been interest from European data protection agencies regarding how Microsoft collects data from Windows 10 users, it wouldn't surprise me if there are now further investigations with a view to EU General Data Protection Regulation (GDPR) penalties. "It kind of demoralizes my soul when even the vendor can’t seem to get it right," Thornton-Trump says, "and why the vendor is storing such ancient records in the first place? I think it’s time for governments to start dropping the hammer on these very preventable data breaches."
What positives can other organizations take away from this incident?
It’s known that this exposure came about as a result of misconfigured security rules on the server holding the Microsoft customer services and support data. The question is, then, how can other organizations avoid finding themselves in a similar sticky security situation? "It's a common mistake in any environment where data is stored," Bischoff says, "security groups set firewall rules that decide who can access what from where (or what device)." However, all of those aspects need to be audited on a regular basis, "to ensure security groups work as intended," according to Bischoff. If they don't, then Bischoff advises that there should be some mechanism in place that detects misconfigurations. "If a misconfiguration is detected," he says, "security staff should be notified immediately so it can be remedied."
Website of Vietnam Union of Science and Technology Associations
License number: 169 / GP-TTĐT, dated October 31, 2012
Head of Editorial Department: DANG VU
The Vietnam Union system was founded with 15 members. Currently, that number has risen to 148, including 86 national industry associations and 63 local associations. In addition, in the system of the Vietnam Union, there are more than 500 scientific and technological research units established under Decree 81 (now Decree 08); over 200 newspapers, magazines, electronic newspapers, newsletters, specialties, electronic news sites.