Prime Inspiration

Microsoft accidentally exposed 250 million customer support records online

by

Raja Rajan
in ,
Microsoft Support
Microsoft Support

Microsoft revealed that they have inadvertently left 250+ million customer service and support requests exposed on several servers without password protection from Dec. 5 to Dec. 31, 2019.

The Comparitech security research team led by Bob Diachenko uncovered five Elasticsearch servers, each of which contained an apparently identical set of the 250 million user analytics records. Diachenko immediately notified Microsoft upon discovering the exposed data, and Microsoft took swift action to secure it, despite it being New Yea’s Eve.

I immediately reported this to Microsoft and within 24 hours all servers were secured. I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve.

– Bob Diachenko, security researcher, Comparitech

According to Microsoft, the exposure was caused by a “misconfiguration” of one of its internal customer support databases. The company claims it found no evidence of “malicious use”. The data included conversation logs dating as far back as 2005 between Microsoft support personnel and customers from across the world. According to Comparitech, the database was not password-protected.

We’re thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyze data, and notify customers as appropriate.

– Eric Doerr, General Manager, Microsoft

Comparitech shares details of the timeline of events:

  • December 28, 2019 — The databases were indexed by search engine BinaryEdge
  • December 29, 2019 — Diachenko discovered the databases and immediately notified Microsoft.
  • December 30-31, 2019 — Microsoft secured the servers and data. Diachenko and Microsoft continued the investigation and remediation process.
  • Jan 21, 2020 — Microsoft disclosed additional details about the exposure as a result of the investigation.

The leaked data contained the following information:

  • Customer email addresses
  • IP addresses
  • Locations
  • Descriptions of CSS claims and cases
  • Microsoft support agent emails
  • Case numbers, resolutions, and remarks
  • Internal notes marked as “confidential”

Microsoft also says it is committed to preventing this sort of situation from happening again, so it’s taking a number of steps. The actions include:

  • Auditing the established network security rules for internal resources.
  • Expanding the scope of the mechanisms that detect security rule misconfigurations.
  • Adding additional alerting to service teams when security rule misconfigurations are detected.
  • Implementing additional redaction automation.

Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available.

– Microsoft security team

But it seems Microsoft employed some good data hygiene practices, with Microsoft’s Doerr noting that data stored in the support case analytics database was redacted to remove personal information. However, a portion of the data was not redacted.

While the exposed data itself should not pose much of a risk, it could still be used in phishing scams, so Microsoft customers are advised to be on the lookout. As a result of this incident, the company said it began notifying impacted customers whose data was present in the exposed Customer Service and Support database.

Source: Comparitech, Microsoft,

Image Credit: Photo by Tadas Sar on Unsplash

Tags:

, ,
Raja Rajan Avatar
Raja Rajan
Raja has been obsessed with technology and Cricket for as long as he can remember. Nowadays, he works as a freelance developer and writer for PrimeInspiration.com

Help Us Grow

If you like this post, please share it with your friends.

You are free to copy and redistribute this article in any medium or format, as long as you keep the links in the article or provide a link back to this page.

Subscribe to Newsletter

Privacy Settings

Privacy & Cookie Overview

Our website uses cookies to provide you with the best user experience possible. These cookies are stored in your browser and perform essential functions such as recognizing you when you return to our website, as well as helping us to understand which sections of the website you find most useful and engaging.

To learn more, you can read our Privacy & Cookie Policy or reach out through our Contact form.

Strictly Necessary Cookies

Strictly Necessary Cookies must always be enabled to ensure the proper functioning of this website and to allow us to provide you with excellent service. These cookies are also essential for saving your cookie preferences.

Google Adsense

We use Google AdSense to keep this site free by displaying relevant ads. AdSense requires essential cookies that cannot be disabled, but you can manage other cookies. We respect your privacy and provide options to control non-essential cookies.

For more details on how Google handles your data, visit Google's Data Usage Policy. Please review our Privacy Policy for more information on how we protect your data.

AddToAny

We use AddToAny for social sharing. It doesn’t store cookies, ensuring a privacy-friendly experience. AddToAny complies with GDPR and CCPA by default.

For more, see their Privacy Policy.

OneSignal

We use OneSignal to send notifications to users who opt in. OneSignal complies with GDPR and is certified under the EU-US and Swiss-US Privacy Shield frameworks.

For more, see their Privacy Policy.

3rd Party Cookies

This website utilizes third-party cookies, which can enhance your experience and support our ongoing efforts to improve our services.

Google Analytics

We use Google Analytics to collect anonymous data, such as visitor numbers and popular pages, to improve user experience and site performance. Keeping this cookie enabled helps us refine the site based on visitor activity.

For more information, see Google’s Privacy Policy.

Discover more from Prime Inspiration

Subscribe now to keep reading and get access to the full archive.

Continue reading