Config flub by Microsoft exposed millions of customer details

Microsoft has acknowledged that it left hundreds of millions of customer support records exposed for most of December last year, having failed to apply appropriate security controls for a database.

Security vendor Comparitech researcher Bob Diachenko found the open database, which had been left exposed from December 5 to December 31 United States time, when Microsoft engineers secured it.

Diachenko said he found a set of five unsecured Elasticsearch databases on December 7.

Each stored an identical database that contains nearly 250 million customer service and support records.

The data could be accessed by anyone with a web browser, no password or other authentication required.

Apart from email and internet protocol address, the records contained case numbers and logs of conversations between Microsoft support agents and customers worldwide, from 2005 to December last year. 

Diachenko believes the data was only exposed for two days until he reported the leak to Microsoft.

While Microsoft said there is no evidence of malicious access to what it says is an internal database, it was indexed by information storage security company BinaryEdge.

Comparitech suggested that the data could have been valuable to tech support scammers impersonating Microsoft, to defraud customers.

Microsoft thanked Diachenko, and said it wanted to be transparent with customers and reassure them that it is taking the incident very seriously and holding themselves accountable.

"Misconfigurations are unfortunately a common error across the industry.

We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database.

As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available," Microsoft top infosec executives Ann Johnson and Eric Doerr wrote in the company's mea culpa.

No personally indentifiable information was exposed, Microsoft said. 

Microsoft's standard operating procedures automatically remove personal information in support case analytics databases, but in some cases this had not worked.

If customer data was entered in a non-standard format, such as email addresses with spaces, they may have been left un-redacted, Microsoft said.

The company has started notifying customers whose details were in the exposed database, and tightened up security procedures to prevent future leaks.