Microsoft accidentally exposed 250 million customer support records online

Even Microsoft isn’t immune to security blunders due to misconfigured databases. 

Microsoft today revealed it had briefly exposed its internal customer support database on the web, potentially giving anyone access to over 250 million customer support records online of communications that took place over the past 14 years.

Eric Doerr, general manager of the Microsoft Security Response Center disclosed the security blunder in a blogpost today, noting that the company’s investigation found “no malicious use” of the database, which Microsoft uses for support case analytics.  

Doerr said the configuration error, which was discovered by security researcher Bob Diachenko on 28 December, was fixed two days later on New Years Eve. He also emphasized the security lapse didn’t expose its commercial cloud services. 

“Our investigation has determined that a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data,” wrote Doerr.  

“Upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access. This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services.”   

Diachenko, a researcher at Comparitech, has identified multiple exposed databases on the web, including a 51GB trove of financial data and credentials exposed by a misconfigured ElasticSearch. He also found an unprotected 4.4GB ElasticSearch database of people and businesses considered to be “high-risk” by stock market index Dow Jones.  

“Misconfigurations happen - no matter how big or secured a company is,” he said of Microsoft’s issue

According to Comparitech, Diachenko found five Microsoft ElasticSearch servers that contained an identical set of 250 million Microsoft customer records that included communications between the company and its customers over 14 years, from 2005 to December 2019.  

Customer data that was exposed included email addresses, IP addresses, locations, Descriptions of customer support claims and cases, Microsoft support agent emails, case numbers, resolutions, and remarks, as well as internal notes marked as “confidential”. 

But it seems Microsoft employed some good data hygiene practices, with Microsoft’s Doerr noting that data stored in the support case analytics database was redacted to remove personal information. However, a portion of the data was not redacted.  

Despite Microsoft’s redaction efforts, Comparitech points out that the information could still be worth something to tech support scammers since it gives them detailed logs and case information on potential targets. 

Tech support scammers frequently exploit the Microsoft brand to con would-be victims into buying fake tech support or to install remote access tools.   

“Misconfigurations are unfortunately a common error across the industry,” said Doerr. “We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available.”

Related:

Copyright © 2020 IDG Communications, Inc.

What is security's role in digital transformation?