Microsoft is at the centre of an embarrassing data breach that has exposed the customer service and support records of 250 million people.
Some of the exposed records date back to 2005, and Microsoft has admitted it was to blame when the five Elasticsearch servers when changes were made to the database’s network security group on 5 December 2019.
It should be remembered that breaches have happened before at Microsoft. In 2017 for example, it was revealed that a 2013 breach of Microsoft’s internal systems was more extensive than the company had admitted at the time, giving hackers access to a secret repository of software bugs that could have been used to hack into the systems of other users or organisations.
In February 2013 Microsoft had acknowledged it had been hacked by a secretive group that had also targeted companies including Apple, Facebook and Twitter, but at the time it described the incident only as affecting a “small number of computers” and as not having affected customer data.
Then in April 2019, Microsoft confirmed that hackers had targeted an unspecified number of users’ online email accounts across Outlook, Hotmail and MSN services for a period of three months after hacking a customer support account.
But the latest breach has been uncovered by researchers at Comparitech during the New Year, when the software giant exposed nearly 250 million Customer Service and Support (CSS) records on the web.
“The records contained logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019,” Comparitech warned. “All of the data was left accessible to anyone with a web browser, with no password or other authentication needed.”
“The Comparitech security research team led by Bob Diachenko uncovered five Elasticsearch servers, each of which contained an apparently identical set of the 250 million records,” it said. “Diachenko immediately notified Microsoft upon discovering the exposed data, and Microsoft took swift action to secure it.”
“We’re thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyze data, and notify customers as appropriate,” noted Eric Doerr, general manager at Microsoft.
Diachenko praised Microsoft’s swift response (despite new years eve), noting that within 24 hours of being notified, it had secured all the servers.
The good news is that most of the personally identifiable information – email aliases, contract numbers, and payment information – was redacted.
However, many records contained plain text data, including customer email addresses; IP addresses; locations; descriptions of CSS claims and cases; Microsoft support agent emails; case numbers, resolutions, and remarks; and internal notes marked as “confidential”.
Microsoft acknowledged the breach in a blog post on the matter.
“Today, we concluded an investigation into a misconfiguration of an internal customer support database used for Microsoft support case analytics,” wrote Microsoft. “While the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable.”
It said that it found a change made to the database’s network security group on 5 December, 2019 contained misconfigured security rules that enabled exposure of the data.
“We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence,” Redmond concluded. “We also want to thank the researcher, Bob Diachenko, for working closely with us so that we were able to quickly fix this misconfiguration, investigate the situation, and begin notifying customers as appropriate.”
And one security expert, Ekaterina Khrustaleva, COO of web security company ImmuniWeb, believes the fallout of this breach may not as severe as other breaches, but we could see more in the year ahead.
“Assuming the data was not exploited by malicious actors as per the official statement, there is not much practical risk so far,” noted Khrustaleva. “However, it is impossible to say whether the information from this server, or other presumably existing servers, has ever been detected and stolen by cybercriminals.”
“The absence of PII in the dump is irrelevant here, given that technical support logs frequently expose VIP clients, their internal systems and network configurations, and even passwords,” said Khrustaleva. “The data is a gold mine for patient criminals aiming to breach large organisations and governments.”
“Worse, many large companies and not only Microsoft have lost visibility of their external attack surface, exposing their clients and partners to significant risks,” Khrustaleva added. “We will likely see a multitude of similar incidents in 2020.”
Do you know all about security? Try our quiz!