Microsoft left 250m customer records exposed over the New Year period

The data was accessible to anyone with a web browser and required no password or authentication, a new report has revealed

A new report has revealed the full scale of data breach that affected 250m Microsoft customers over the new year period.

Conducted by a security research team at Comparitech, the report states that conversation logs between Microsoft support agents and customers all over the world were left vulnerable for two days before Comparitech alerted Microsoft and data was secured. The customer support logs span 14-years in total, exposing conversations from 2005 to December 2019.

Shockingly, the data had no password protection and was left accessible to anyone with a web browser. Led by Bob Diachenko, the Comparitech team unveiled five Elasticsearch servers, each of which contained an identical set of the customer data. Diachenko immediately informed the global tech juggernaut, who took swift action to secure it.

We’re thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyse data, and notify customers as appropriate – Eric Doerr, general manager, Microsoft

According to the research team, most of the personally identifiable information, such as email aliases, contract numbers and payment information, were redacted, but many records contained plaint text data, including:

– Customer email addresses
– IP addresses
– Locations
– Descriptions of CSS claims and cases
– Microsoft support agent emails
– Case numbers, resolutions and remarks
– Internal notes marked as ‘confidential’

Timeline

December 28, 2019: search engine BinaryEdge indexes databases

December 29, 2019: Diachenko discovers the databases and notifies Microsoft

December 30-31, 2019: data is secured by Microsoft while the investigation and remediation process begins

January 21, 2020 – Microsoft discloses additional details of the exposure

“I immediately reported this to Microsoft and within 24 hours all servers were secured,” Diachenko remarked. “I applaud the MS support team for responsiveness and quick  turnaround on this despite New Year’s Eve.”

The Microsoft Security Response Center issued a response on 22 January, noting that “the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable.”

The post also confirmed that the database was exposed from 5 December last year and stemmed from misconfigured security rules. The statement also included an official apology, with Microsoft adding that, “We want to sincerely apologise and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence.”

Ian Thornton-Trump, CISO at Cyjax and co-host of the BeerConOne virtual security conference, told Forbes: “This is massive, and not unexpected to be honest. It just shows how difficult it is for anyone, even a giant tech company, to manage data and storage correctly.”


In other news: Delivery partners announced for government’s edtech demonstrator programme