As people around the globe rang in 2019, Microsoft security teams were working hard to rectify an embarrassing leak: accidentally leaving 250 million conversations between support agents and customers without password protection online without password protection.
Data found within this collection included emails, phone numbers and IP addresses as well as case details, resolutions and internal notes marked confidential – providing hackers with ample opportunity to launch tech support scams.
Microsoft recently made headlines when they revealed that their customer support database had been left online without password protection due to an accidental server misconfiguration, leaving 250 million online chat conversations between customers and Microsoft support agents accessible between December 5 and 31. As reported on their blog post, this server misconfiguration made 250 million chat conversations accessible.
Comparitech discovered an internal server intended to be used for analytics was exposed on the internet without proper security measures in place, and contained logs of communications between customers and Microsoft support representatives from around the globe, according to Comparitech. While most information was redacted for privacy concerns, some email addresses and IP addresses remained stored plain text on these exposed servers.
No clear numbers were disclosed regarding how many companies were affected by the customer support database breach; however, according to a security researcher who discovered servers that alerted Microsoft of such security risks and found themselves “a small number of companies.”
Tech support scams could potentially emerge as a result of this incident, with hackers pretending to be Microsoft employees and fooling customers into providing their personal data in exchange for computer fixes. Microsoft has since apologized and pledged steps to prevent similar breaches from reoccurring, such as reviewing its internal security policies and developing tools to ensure customer service data has sensitive information automatically redacted from it.
Who Discovered the Breach?
Volodymyr Diachenko noticed a database that was publicly accessible without encryption or password protection on Twitter, and in his subsequent blog post revealed it contained API logs of an unnamed company exposed on an insecure MongoDB noSQL database typically used to manage large volumes of user data. He reported it to Cognyte which secured it within three days.
After eliminating threats and recovering systems, organizations must also communicate with affected individuals about the breach. They must offer clear explanations as to what transpired and steps individuals can take to protect themselves from further harm; additionally they should admit any fault they might bear for contributing to it.
Organizations should report data breaches as required by law. This applies to HIPAA violations that impact health care organizations within 60 days after learning of a breach; as well as EU GDPR laws which require notification within 72 hours after discovery. Businesses should make their data breaches public by publishing them via databases like DataLossDB or Data Breach Today as well as portals like Wikileaks as it helps increase transparency while decreasing customer impact of breaches.
What Information Was Exposed?
Microsoft’s security team was busy closing an enormous hole in its online security as many were celebrating New Year’s Eve festivities. Microsoft revealed that an accident left 250 million support case records from 14 years without password protection – due to misconfiguration of an internal Azure database, according to their blog post on the matter.
The server hosted conversations between Microsoft support representatives and customers from around the globe, discovered by tech review site Comparitech and security researcher Bob Diachenko.
Although nearly all sensitive information in the databases had been redacted, a substantial amount of plain-text data remained available, such as customer emails and IP addresses; descriptions of support claims and cases; Microsoft support agent emails; case numbers; resolutions; remarks; as well as internal notes marked as confidential.
No one knows if anyone has made use of the database to gain access to information or launch attacks against its contents, yet its availability raises serious concern. Anyone who contacted Microsoft support over the last 14 years should remain vigilant for any suspicious activity and check their accounts frequently – particularly those with US phone numbers as hackers have reported targeting that region with particular success.
How Was the Breach Discovered?
Security researcher Bob Diachenko discovered the breach on New Year’s Eve when he noticed exposed data still accessible online. Microsoft reported in its blog post that their customer support database contained logs of conversations between company support staff and customers from around the globe from 2005 through December 2019, including case details, notes, resolutions and locations from 2005 – December 2019; also included was email addresses, names, phone numbers and locations which may have enabled hackers to impersonate Microsoft support representatives to commit phishing or tech support scams.
Microsoft issued a statement detailing their actions: fixing a misconfigured server that exposed 250 million customer support records without knowing of any malicious use; they began notifying impacted customers as soon as possible.
Microsoft may reach out to people whose email addresses were compromised in a data breach for technical support issues, though most likely won’t. As they only tend to notify people of specific breaches and rarely contact people about non-breach related ones directly, making it unlikely that anyone would receive immediate support services immediately after being affected by a data breach. Microsoft recommends people be wary of calls purporting to come from “Microsoft” that request they install remote desktop viewing or access software as these could be indicators of scam.
How Long Was the Breach?
Microsoft cloud database misconfiguration left 250 million records vulnerable for approximately 25 days online, leaving hackers access to them. Data dates back as far as 2005 and was last exposed online in December. Conversations between customers and Microsoft employees as well as personal identifiable information including email aliases, case numbers and contract data was among this massive trove. Microsoft says they are in the process of notifying all affected individuals as soon as possible.
Security researcher Bob Diachenko discovered this database and reported it to Microsoft. It was housed on five Elasticsearch servers configured for anonymized user analytics; however, due to lacking authentication measures they allowed anyone with internet access accessing it and searching for specific queries or finding addresses of people.
Microsoft has not observed any signs of malicious use with respect to this breach and is investigating it to ascertain how it occurred. But this incident underscores the risks associated with sharing too much personal data online and keeping passwords safe; and highlights why companies need a plan in place for quickly reporting breaches and notifying affected customers as soon as they occur; those taking too long could face costly lawsuits from consumers and independent agencies; according to IBM estimates that average breach costs run approximately $740,000.
What Are the Risks?
As we transitioned into 2020, Microsoft’s security team worked feverishly to resolve an unprecedented breach that left 250 million customer service and support records exposed online from 2005 through December of 2018; including chat logs between customers and Microsoft support workers. While personal information from these chats had been removed by Microsoft support workers, there remain risks for customers.
The data included customer email addresses, IP addresses, geographic locations, claims/case descriptions that had been marked confidential within Microsoft support claims/cases as well as resolutions. Additionally, detailed logs were kept of calls between customers and support staff that was recorded during this breach. Although most PII was redacted by criminals using this data in tech support scams that involve installing malware onto victims devices in order to gain financial data or other sensitive information from victims.
Comparitech’s security research team led by Bob Diachenko quickly identified this breach. After discovering a database indexed by IoT vulnerability search engine BinaryEdge on five Elasticsearch servers indexed by Elasticsearch Server Security Indexer BinaryEdge and notifying Microsoft of it immediately despite New Year’s Eve, Microsoft responded quickly by taking immediate steps to secure those servers on that very same day itself despite misconfiguration issues exposing personal information on numerous cloud servers. However, this incident is just the latest example in many such instances of misconfiguration that exposed personal data due to misconfiguration by cloud server administrators or misconfiguration issues within organizations who exposed personal information by cloud servers exposed by misconfiguration or misconfiguration in terms of personal information exposed via vulnerable cloud servers exposed by cloud providers that exposed personal data exposed on multiple occasions over many years due to misconfiguration errors being exposed or exposed via misconfigured cloud servers exposing personal information being exposed by misconfigured cloud servers having exposed personal information via exposed storage servers exposed as well.