Microsoft accidentally exposed 250 million customer support records online
Microsoft revealed that they have inadvertently left 250+ million customer service and support requests exposed on several servers without password protection from Dec. 5 to Dec. 31, 2019.
The Comparitech security research team led by Bob Diachenko uncovered five Elasticsearch servers, each of which contained an apparently identical set of the 250 million user analytics records. Diachenko immediately notified Microsoft upon discovering the exposed data, and Microsoft took swift action to secure it, despite it being New Yea’s Eve.
I immediately reported this to Microsoft and within 24 hours all servers were secured. I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve.– Bob Diachenko, security researcher, Comparitech
According to Microsoft, the exposure was caused by a “misconfiguration” of one of its internal customer support databases. The company claims it found no evidence of “malicious use”. The data included conversation logs dating as far back as 2005 between Microsoft support personnel and customers from across the world. According to Comparitech, the database was not password-protected.
We’re thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyze data, and notify customers as appropriate.– Eric Doerr, General Manager, Microsoft
Comparitech shares details of the timeline of events:
- December 28, 2019 — The databases were indexed by search engine BinaryEdge
- December 29, 2019 — Diachenko discovered the databases and immediately notified Microsoft.
- December 30-31, 2019 — Microsoft secured the servers and data. Diachenko and Microsoft continued the investigation and remediation process.
- Jan 21, 2020 — Microsoft disclosed additional details about the exposure as a result of the investigation.
The leaked data contained the following information:
- Customer email addresses
- IP addresses
- Descriptions of CSS claims and cases
- Microsoft support agent emails
- Case numbers, resolutions, and remarks
- Internal notes marked as “confidential”
Microsoft also says it is committed to preventing this sort of situation from happening again, so it’s taking a number of steps. The actions include:
- Auditing the established network security rules for internal resources.
- Expanding the scope of the mechanisms that detect security rule misconfigurations.
- Adding additional alerting to service teams when security rule misconfigurations are detected.
- Implementing additional redaction automation.
Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available.– Microsoft security team
But it seems Microsoft employed some good data hygiene practices, with Microsoft’s Doerr noting that data stored in the support case analytics database was redacted to remove personal information. However, a portion of the data was not redacted.
While the exposed data itself should not pose much of a risk, it could still be used in phishing scams, so Microsoft customers are advised to be on the lookout. As a result of this incident, the company said it began notifying impacted customers whose data was present in the exposed Customer Service and Support database.