Microsoft discloses security breach of customer support database

[steven36]

Five servers storing customer support analytics were accidentally exposed online in December 2019.

 

 

Microsoft disclosed today a security breach that took place last month in December 2019.

 

In a blog post today, the OS maker said that an internal customer support database that was storing anonymized user analytics was accidentally exposed online without proper protections between December 5 and December 31.

 

The database was spotted and reported to Microsoft by Bob Diachenko, a security researcher with Security Discovery.

 

The leaky customer support database consisted of a cluster of five Elasticsearch servers, a technology used to simplify search operations, Diachenko told ZDNet today. All five servers stored the same data, appearing to be mirrors of each other.

 

Diachenko said Microsoft secured the exposed database on the same day he reported the issue to the OS maker, despite being New Year's Eve.

 

"I have been in touch with the Microsoft team helping and supporting them to properly investigate it," Diachenko told ZDNet.

 

The servers contained roughly 250 million entries. Microsoft says that most of the records didn't contain any personal user information.

 

 

"As part of Microsoft's standard operating procedures, data stored in the support case analytics database is redacted using automated tools to remove personal information," Microsoft said.

 

However, in cases where users filed customer support requests using non-standard formatted data such as ("name surname @ emaildomain com" instead of "[email protected]") the data was not detected and redacted, and remained in the exposed database.

 

For these cases, Microsoft said it began notifying impacted customers today, although it also added that it "found no malicious use" of the data.

 

Microsoft blamed the accidental server exposure on misconfigured Azure security rules it deployed on December 5, which it now fixed. Following the leak, Microsoft says it is now:

 

• Auditing the established network security rules for internal resources. 
• Expanding the scope of the mechanisms that detect security rule misconfigurations.  
• Adding additional alerting to service teams when security rule misconfigurations are detected. 
• Implementing additional redaction automation.

Source

[steven36]

WindiLeaks: Microsoft exposes 250 million customer support records dating back to 2005. (Not on purpose though)

 

Quickly shuttered partially redacted exposed DB, which included 'internal notes marked as confidential'

 

 

Five identical Elasticsearch databases containing 250 million records of Microsoft customer support incidents were exposed on the internet for all to see for at least two days right at the end of 2019.

 

On 28 December 2019, these databases were found by BinaryEdge, which crawls the internet looking for exposed data. This was then picked up by security researcher Bob Diachenko, who reported the problem to Microsoft.

 

Microsoft secured the databases over 30-31 December, winning praise from Diachenko for "quick turnaround on this despite [it being] New Year's Eve".

 

That is cold comfort for customers whose data was exposed. What has been picked up by security researchers may well also have been found by criminals.

 

What data was published? These are logs of customer service and support interactions between 2005 and now. The good-ish news is that "most of the personally identifiable information — email aliases, contract numbers, and payment information—was redacted", according to Comparitech. However, a subset contained plain-text data including email addresses, IP addresses, case descriptions, emails from Microsoft support, case numbers and "internal notes marked as confidential".

 

Armed with this information, there is plenty of scope for identifying the customers, learning more about their internal IT systems if they are businesses, and using the data for activities such as impersonating Microsoft support and thereby gaining access to personal computers or business networks. "Just a quick follow-up on case xxxx…"

 

Eric Doerr, general manager of the Microsoft's Security Response Center (MSRC), said: "We're thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyze data, and notify customers as appropriate."

 

It is not yet clear how many of the records include identifiable information, nor how they break down in terms of business versus consumer interactions. We have asked Microsoft for comment and will update with information received. Microsoft has posted further information about the incident here.

 

Despite the absence of financial or username/password data in the leaked database, the incident is embarrassing for Microsoft, undermining its efforts to keep its customers secure.

 

Calls from fake Microsoft support staff are nothing new; they are so widespread that most of us have received a few. What's different now is that they may be better informed than before, so the solution is to be even more wary.

 

Source