Config flub by Microsoft exposed millions of customer details

By on
Config flub by Microsoft exposed millions of customer details

Nearly 250 million records visible on the web.

Microsoft has acknowledged that it left hundreds of millions of customer support records exposed for most of December last year, having failed to apply appropriate security controls for a database.

Security vendor Comparitech researcher Bob Diachenko found the open database, which had been left exposed from December 5 to December 31 United States time, when Microsoft engineers secured it.

Diachenko said he found a set of five unsecured Elasticsearch databases on December 7.

Each stored an identical database that contains nearly 250 million customer service and support records.

The data could be accessed by anyone with a web browser, no password or other authentication required.

Apart from email and internet protocol address, the records contained case numbers and logs of conversations between Microsoft support agents and customers worldwide, from 2005 to December last year. 

Diachenko believes the data was only exposed for two days until he reported the leak to Microsoft.

While Microsoft said there is no evidence of malicious access to what it says is an internal database, it was indexed by information storage security company BinaryEdge.

Comparitech suggested that the data could have been valuable to tech support scammers impersonating Microsoft, to defraud customers.

Microsoft thanked Diachenko, and said it wanted to be transparent with customers and reassure them that it is taking the incident very seriously and holding themselves accountable.

"Misconfigurations are unfortunately a common error across the industry.

We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database.

As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available," Microsoft top infosec executives Ann Johnson and Eric Doerr wrote in the company's mea culpa.

No personally indentifiable information was exposed, Microsoft said. 

Microsoft's standard operating procedures automatically remove personal information in support case analytics databases, but in some cases this had not worked.

If customer data was entered in a non-standard format, such as email addresses with spaces, they may have been left un-redacted, Microsoft said.

The company has started notifying customers whose details were in the exposed database, and tightened up security procedures to prevent future leaks.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
microsoft privacy security

Most Read Articles

Centrelink IT system risks 'largely' managed during WPIT overhaul

Centrelink IT system risks 'largely' managed during WPIT overhaul
Researchers say not to use myGovID until login flaw is fixed

Researchers say not to use myGovID until login flaw is fixed
DOS Subsystem for Linux breaks cover

DOS Subsystem for Linux breaks cover
NBN Co to spend $3bn upgrading half of FTTN network to full fibre

NBN Co to spend $3bn upgrading half of FTTN network to full fibre
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

A Migration Guide For Businesses Switching Mobile Device Management Solutions
A Migration Guide For Businesses Switching Mobile Device Management Solutions
Plan your post-COVID security strategy
Plan your post-COVID security strategy
The Executive's Guide To The Future Of Work
The Executive's Guide To The Future Of Work
Government Digital Transformation Requires Customer Obsession
Government Digital Transformation Requires Customer Obsession
Master the fundamentals of AWS cost efficiency
Master the fundamentals of AWS cost efficiency

Events

Log In

Username / Email:
Password:
  |  Forgot your password?