Microsoft exposed 250 million customer support records


    Databases containing 14 years’ worth of customer support logs were publicly accessible with no password protection

    More than 250 million customer service and support records were exposed by Microsoft over a two-day period in December 2019 due to a server misconfiguration. Since the records weren’t secured with any authentication measures, anyone with an internet connection and a browser could have accessed the data.

    The same set of 250 million records was stored on five Elasticsearch servers, which were spotted by Comparitech’s security researcher Bob Diachenko and his team on December 29th. They immediately notified Microsoft, which secured the data and started an investigation within two days.

    Microsoft apologized for the incident and was quick to assure users that it had detected no malicious use of the leaky servers. The tech giant has also been in the news of late for other reasons, notably a severe vulnerability in Windows and a zero-day flaw in Internet Explorer.

    What data?

    The records comprised logs of exchanges between Microsoft’s customer support and its customers, spanning a 14- year period from 2005 to 2019.

    While most of the sensitive information that was personally identifiable, such as payment information, was redacted, there were still a lot of records that were in plain-text form. The latter included IP addresses, locations, and internal notes which were marked “confidential”, customer email addresses, descriptions of customer service support claims and cases, Microsoft support agent emails, case numbers, resolutions, and remarks.

    The cause?

    The investigation revealed that the culprit was a change in the database’s network security group, which contained misconfigured security rules.

    Such misconfigurations are not a rare occurrence, and we recently reported on a data leak that exposed birth certificate applications. Indeed, Microsoft echoed this very sentiment in a blog addressing its customers:

    “Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available.”

    Another data leak involving a misconfigured Elasticsearch server affected nearly all of Ecuador’s population a few months ago.

    Amer Owaida


    Source link

    Recent Articles

    Episode 396: Barry O’Reilly on Antifragile Architecture : Software Engineering Radio

    Barry O’Reilly of Black Tulip Technology discusses Antifragile Architecture, an approach for designing systems that actually improve in the face of complexity and...

    Could Pittsburgh be the Next Silicon Valley for EEs?

    Following the bay area’s technology boom, we’ve now set our sights on identifying the next big nucleus of innovation. There’s been plenty of...

    StreamElements helps brands work with livestream content creators more efficiently

    StreamElements has partnered with Magic: The Gathering maker Wizards of the Coast to launch SE.CAP, an integrated influencer marketing platform that helps brands...

    Broadcom announces new ‘high-performance component’ deals with Apple, valued at $15B

    Chipmaker Broadcom has announced that it has inked two multi-year deals with Apple to provide “high-performance wireless components and modules.” These chips will...

    Related Stories

    Stay on op - Ge the daily news in your inbox