Microsoft Confirms Breach Of 250 Million Customer Service Records

Microsoft is at the centre of an embarrassing data breach that has exposed the customer service and support records of 250 million people.

Some of the exposed records date back to 2005, and Microsoft has admitted it was to blame when the five Elasticsearch servers when changes were made to the database’s network security group on 5 December 2019.

It should be remembered that breaches have happened before at Microsoft. In 2017 for example, it was revealed that a 2013 breach of Microsoft’s internal systems was more extensive than the company had admitted at the time, giving hackers access to a secret repository of software bugs that could have been used to hack into the systems of other users or organisations.

Misconfigured database

In February 2013 Microsoft had acknowledged it had been hacked by a secretive group that had also targeted companies including Apple, Facebook and Twitter, but at the time it described the incident only as affecting a “small number of computers” and as not having affected customer data.

Then in April 2019, Microsoft confirmed that hackers had targeted an unspecified number of users’ online email accounts across Outlook, Hotmail and MSN services for a period of three months after hacking a customer support account.

But the latest breach has been uncovered by researchers at Comparitech during the New Year, when the software giant exposed nearly 250 million Customer Service and Support (CSS) records on the web.

“The records contained logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019,” Comparitech warned. “All of the data was left accessible to anyone with a web browser, with no password or other authentication needed.”

“The Comparitech security research team led by Bob Diachenko uncovered five Elasticsearch servers, each of which contained an apparently identical set of the 250 million records,” it said. “Diachenko immediately notified Microsoft upon discovering the exposed data, and Microsoft took swift action to secure it.”

“We’re thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyze data, and notify customers as appropriate,” noted Eric Doerr, general manager at Microsoft.

Diachenko praised Microsoft’s swift response (despite new years eve), noting that within 24 hours of being notified, it had secured all the servers.

The good news is that most of the personally identifiable information – email aliases, contract numbers, and payment information – was redacted.

However, many records contained plain text data, including customer email addresses; IP addresses; locations; descriptions of CSS claims and cases; Microsoft support agent emails; case numbers, resolutions, and remarks; and internal notes marked as “confidential”.

Microsoft acknowledgement

Microsoft acknowledged the breach in a blog post on the matter.

“Today, we concluded an investigation into a misconfiguration of an internal customer support database used for Microsoft support case analytics,” wrote Microsoft. “While the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable.”

It said that it found a change made to the database’s network security group on 5 December, 2019 contained misconfigured security rules that enabled exposure of the data.

“We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence,” Redmond concluded. “We also want to thank the researcher, Bob Diachenko, for working closely with us so that we were able to quickly fix this misconfiguration, investigate the situation, and begin notifying customers as appropriate.”

And one security expert, Ekaterina Khrustaleva, COO of web security company ImmuniWeb, believes the fallout of this breach may not as severe as other breaches, but we could see more in the year ahead.

“Assuming the data was not exploited by malicious actors as per the official statement, there is not much practical risk so far,” noted Khrustaleva. “However, it is impossible to say whether the information from this server, or other presumably existing servers, has ever been detected and stolen by cybercriminals.”

“The absence of PII in the dump is irrelevant here, given that technical support logs frequently expose VIP clients, their internal systems and network configurations, and even passwords,” said Khrustaleva. “The data is a gold mine for patient criminals aiming to breach large organisations and governments.”

“Worse, many large companies and not only Microsoft have lost visibility of their external attack surface, exposing their clients and partners to significant risks,” Khrustaleva added. “We will likely see a multitude of similar incidents in 2020.”

Do you know all about security? Try our quiz!

Tom Jowitt @TJowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Coronavirus: Samsung, Facebook, Donate Devices To NHS

Samsung donates 2,000 robust smartphones and other equipment for NHS Nightingale hospitals, as Facebook donates 2,050 Portal devices

16 hours ago

Coronavirus: Amazon’s Jeff Bezos Quizzed Over Sacked Worker

Letter to CEO over fired worker, who raised concerns about worker protection and cleanliness of local Amazon facility during pandemic

17 hours ago

Coronavirus: US Senators Advised To Avoid Using Zoom – Report

US Senate reportedly becomes the latest organisation to advise members not to use Zoom, over privacy and security concerns

17 hours ago

Google Told By French Regulator To Pay For Re-using News Or Content

Google has been instructed by the French competition authority to pay French publishers and news agencies for re-using content or…

21 hours ago

Coronavirus: UK, US Warn Hackers Are Exploiting Pandemic

Cybersecurity officials in the UK and US are warning that state-backed hackers and criminals are taking advantage of the Coronavirus…

23 hours ago

Zoom Sued For Security Lapses, Hires Ex-Facebook Security Boss Stamos

Video conferencing app hit with lawsuit for overstating its privacy standards, as it hires former Facebook security executive

2 days ago