Microsoft accidentally exposed 250 million customer service and support records online. The inadvertent data leak occurred due to the “misconfiguration” of a database that the company used for maintaining customer support information. Microsoft has officially acknowledged the data leak and has taken measures to stop the same. However, the company’s response to the exposure of important and most likely sensitive information of millions of Microsoft customers does raise some serious questions about data integrity and protection.
After a report surfaced claiming Microsoft exposed data of about 250 million of its customers, the company confirmed the same. The company has indicated that the database wasn’t correctly set up to protect itself from such massive data exposure. The leaked data spans more than 14 years and contains multiple snippets of information about customers and their interactions with Microsoft. The company has since secured the database and confirmed that it never contained personally identifiable information.
Microsoft Accidentally Exposes 250 Million Customer Service And Support Records Online And Blames Poor Configuration:
The leaked data included conversations between Microsoft support agents and customers which were recorded from 2005 to December 2019. Essentially, Microsoft left the data unsecured. In other words, the company left the data open and accessible to anyone. Such ‘unsecured’ databases are surprisingly common. In simple terms, the databases aren’t easy to locate or search. However, as they are not protected by passwords and encryption, anyone can access them.
Unprotected Database Exposes 250 Million #Microsoft Customer Support Records Online
— Mohit Kumar (@unix_root) January 22, 2020
The exposed and unsecured data was discovered on December 29, and after being alerted about the same, Microsoft took corrective action within a day, indicated Bob Diachenko of the Comparitech security research team. “I immediately reported this to Microsoft and within 24 hours all servers were secured. I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve.”
The leaked data contained the following information:
- Customer email addresses
- IP addresses
- Descriptions of CSS claims and cases
- Microsoft support agent emails
- Case numbers, resolutions, and remarks
- Internal notes marked as “confidential”
Exposed Customer Databases Are Highly Dangerous In The Long-term, Indicate Experts:
It is quite likely that Microsoft will issue some form of alert to the customers who were part of the exposed database. However, the data in the wrong hands is very valuable. This is because the data can be easily used to launch tech support scams. Since the customer support data includes sensitive information that only Microsoft should know, victims can be easily convinced and scammed. Microsoft has confirmed that it would be taking the following actions to prevent future occurrences of this issue:
- Auditing the established network security rules for internal resources.
- Expanding the scope of the mechanisms that detect security rule misconfigurations.
- Adding additional alerting to service teams when security rule misconfigurations are detected.
- Implementing additional redaction automation.
NEW: Microsoft discloses security breach of customer support database
* Misconfigured Azure rules expose 5 Elasticsearch servers
* Servers stored customer support analytics data
* Microsoft said the data was anonymized
* Leak timeline: Dec 5 –> Dec 31https://t.co/WJfdiyAwn7 pic.twitter.com/HVG7WqKKxf
— Catalin Cimpanu (@campuscodi) January 22, 2020
There have been numerous reports about such exposed databases. The most common mistake among tech companies is leaving the database unsecured or without proper password protection. Such databases aren’t easily accessible. However, many malicious code writers and hackers routinely run programs that are designed to sniff out unprotected or exposed databases. There have been quite a few cases wherein hackers have either held the data ransom or merely scrapped off valuable information that is then sold on the Dark Web.