Menu
Microsoft misconfiguration exposed 250M users’ data

Microsoft misconfiguration exposed 250M users’ data

Vendor apologises for New Year security lapse

Credit: Microsoft

Microsoft has admitted accidentally exposing customers' and agents’ data following a security error made over the New Year period. 

According to research firm Comparitech, which uncovered the flaw, 250 million customer service and support (CSS) records were exposed online for two days before New Year's Day.

Microsoft has admitted responsibility for the lapse, claiming a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data. 

The records contained logs of conversations between Microsoft support agents and global customers spanning a 14-year period from 2005.

“All of the data was left accessible to anyone with a web browser, with no password or other authentication needed,” a Comparitech blog post revealed. 

Upon being alerted by the lead cyber security researcher Bob Diachenko on 29 December, Microsoft secured the servers and data within 24 hours. The data did not contain personally identifiable information and did not affect the software giant’s Azure cloud services.

Exposed data included customer and agent email addresses, IP addresses, locations, CSS claims and cases and internal notes marked as “confidential”.

Although not an immediate risk to customers, Comparitech warned the effects of the exposure should not be underestimated.

In particular, the data could be valuable to tech support scammers, who can use the information to impersonate Microsoft staff, and use in either phishing or device hijacking scams.

The researcher issued a warning to users to be on the lookout for potential Microsoft or Windows scams either via email or the phone, stressing that the vendor would never normally proactively provide tech support.

Three weeks after the exposure, Microsoft issued a contrite apology to customers in a company blog post. 

“We want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable,” Microsoft admitted in the blog dated 22 January.

“Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available.”

In an effort to prevent further incidents, Microsoft said it would now audit the network security rules for internal resources and expand scope of mechanisms to detect security rule misconfigurations. In addition, it will also add more alerts for rule misconfigurations and implement more redaction automation. 


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags MicrosoftsecuritymisconfigurationBob Diachenko

Featured

Slideshows

Reseller News Platinum Club celebrates leading partners in 2019

Reseller News Platinum Club celebrates leading partners in 2019

The leading players of the New Zealand channel came together to celebrate a year of achievement at the annual Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months.

Reseller News Platinum Club celebrates leading partners in 2019
Reseller News hosts alumnae breakfast for Women in ICT Awards

Reseller News hosts alumnae breakfast for Women in ICT Awards

Reseller News hosted its second annual alumnae breakfast for the Women in ICT Awards in New Zealand, designed to showcase the leading female leaders in the industry. Held at The Cordis in Auckland, attendees came together to hear inspiring keynotes and panel discussions, alongside high-level networking among peers. Photos by Gino Demeer.

Reseller News hosts alumnae breakfast for Women in ICT Awards
Reseller News Innovation Awards 2019: meet the winners

Reseller News Innovation Awards 2019: meet the winners

Reseller News honoured the standout players of the New Zealand channel in front of more than 480 technology leaders in Auckland on 23 October, recognising the achievements of top partners, emerging entrants and innovative start-ups.

Reseller News Innovation Awards 2019: meet the winners
Show Comments