Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Microsoft Exposed 250 Million Customer Support Records

Nearly 250 million Microsoft Customer Service and Support (CSS) records were found exposed to the Internet in five insecure Elasticsearch databases, Comparitech reports.

Nearly 250 million Microsoft Customer Service and Support (CSS) records were found exposed to the Internet in five insecure Elasticsearch databases, Comparitech reports.

The records on those servers contained 14 years’ worth of logs of conversations between support agents and customers, all of which could be accessed by anyone directly from a browser, without any form of authentication.

Each of the five Elasticsearch servers contained an apparently identical set of records, with data spanning between 2005 and December 2019, Comparitech’s security researchers reveal.

While most of the personal information in those records was redacted, many records contained plain text data.

Exposed data in those records included customer email addresses, IP addresses, locations, descriptions of CSS claims and cases, Microsoft support agent emails, internal notes marked as “confidential,” and case numbers, resolutions, and remarks, the researchers say.

“I immediately reported this to Microsoft and within 24 hours all servers were secured,” security researcher Bob Diachenko, who led the Comparitech team, explains.

The data was exposed to the Internet for around two days before Microsoft secured the servers. The databases were indexed by search engine BinaryEdge on December 28, 2019, Diachenko discovered them the next day and notified Microsoft, and the company secured the servers on December 30.

The exposed data could be abused in attacks such as tech support scams, where cybercriminals impersonate Microsoft support representatives. With this data in hand they could refer to real case numbers, phish for sensitive information, or hijack devices, Comparitech says.

Advertisement. Scroll to continue reading.

“We’re thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyze data, and notify customers as appropriate,” commented Eric Doerr, general manager of Microsoft’s Security Response Center.

What is yet unclear is whether other unauthorized parties accessed the databases while they were exposed.

UPDATE. Microsoft says that the exposure was the result of a misconfiguration that occurred on December 5, but that its investigation into the incident did not reveal malicious use.

“Our investigation confirmed that the vast majority of records were cleared of personal information in accordance with our standard practices. In some scenarios, the data may have remained unredacted if it met specific conditions. […]We have begun notifications to customers whose data was present in this redacted database,” the company says.

Related: Data on 1.2 Billion Users Found in Exposed Elasticsearch Server

Related: Millions of Unencrypted Fingerprint and Facial Biometrics Found on Unsecured Database

Related: Unprotected Database Exposes Details of Honda’s Internal Network

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to Outlook.com and Exchange Online.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...