Microsoft misconfiguration exposed 250M users’ data
- 23 January, 2020 10:30
Microsoft has admitted accidentally exposing customers' and agents’ data following a security error made over the New Year period.
According to research firm Comparitech, which uncovered the flaw, 250 million customer service and support (CSS) records were exposed online for two days before New Year's Day.
Microsoft has admitted responsibility for the lapse, claiming a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data.
The records contained logs of conversations between Microsoft support agents and global customers spanning a 14-year period from 2005.
“All of the data was left accessible to anyone with a web browser, with no password or other authentication needed,” a Comparitech blog post revealed.
Upon being alerted by the lead cyber security researcher Bob Diachenko on 29 December, Microsoft secured the servers and data within 24 hours. The data did not contain personally identifiable information and did not affect the software giant’s Azure cloud services.
Exposed data included customer and agent email addresses, IP addresses, locations, CSS claims and cases and internal notes marked as “confidential”.
Although not an immediate risk to customers, Comparitech warned the effects of the exposure should not be underestimated.
In particular, the data could be valuable to tech support scammers, who can use the information to impersonate Microsoft staff, and use in either phishing or device hijacking scams.
The researcher issued a warning to users to be on the lookout for potential Microsoft or Windows scams either via email or the phone, stressing that the vendor would never normally proactively provide tech support.
Three weeks after the exposure, Microsoft issued a contrite apology to customers in a company blog post.
“We want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable,” Microsoft admitted in the blog dated 22 January.
“Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available.”
In an effort to prevent further incidents, Microsoft said it would now audit the network security rules for internal resources and expand scope of mechanisms to detect security rule misconfigurations. In addition, it will also add more alerts for rule misconfigurations and implement more redaction automation.