Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
  • Jimi Wikman
    Jimi Wikman

    Microsoft expose customer data - 250 million records at risk

    • Angry 1

    Microsoft accidentally exposed nearly 250 million Customer Service and Support records on the web. The records contained logs of conversations between Microsoft and customers from all over the world. This data is spanning a 14-year period from 2005 to December 2019. All of the data was left accessible to anyone with a web browser, with no password or other authentication needed.

    The Comparitech security research team led by Bob Diachenko uncovered five Elasticsearch servers, each of which contained an apparently identical set of the 250 million records. Diachenko immediately notified Microsoft upon discovering the exposed data, and Microsoft took swift action to secure it.

    Despite swift action from Microsoft the data was exposed for 25 days during the holidays. The information exposed includes Customer email addresses, IP addresses and physical locations, descriptions of customer service claims and cases, case numbers, resolutions and remarks, and internal notes marked "confidential". This information, which is in plain text, is prety much all you need for a full scale fraud attack as Paul Bischoff explain in his post.

    Quote

    “The data could be valuable to tech support scammers, in particular,” he said. “Tech support scams entail a scammer contacting users and pretending to be a Microsoft support representative. These types of scams are quite prevalent, and even when scammers don’t have any personal information about their targets, they often impersonate Microsoft staff. Microsoft Windows is, after all, the most popular operating system in the world.”

    Microsoft has begun reaching out to the millions of customers affected and they urge users to stay alert should anyone contact them under the guise of being a representative from Microsoft in their official response to the incident.

    Quote

    “Microsoft customers and Windows users should be on the lookout for…scams via phone and email,” Comparitech’s Bischoff said. “Remember that Microsoft never proactively reaches out to users to solve their tech problems—users must approach Microsoft for help first. Microsoft employees will not ask for your password or request that you install remote desktop applications like TeamViewer. These are common tactics among tech scammers.”

    With this error some are questioning the security measures in place at Microsoft. Fausto Oliveira, principal security architect at Acceptto gave this statement to threatpost:

    Quote

    “This incident shows some concerning issues with the way data security was handled. These are the more worrying facts that arise from this incident: Access to the data was not protected using (at least) username and passwords, although for this level of confidentiality I would expect it to be protected using multifactor authentication.

    Not all data was encrypted and data about a customer is being retained well past what I would think reasonable — 14 years’ worth of support data strikes as beyond a sensible data retention interval.

    from the disclosure, the threat surface was exposed for 25 days, although Microsoft found no evidence of malicious use, it is quite a long interval of exposure; and poor governance. If the correct policies and processes where enforced effectively, this type of event should be near impossible to occur.”

     

    Edited by Jimi Wikman


    • Angry 1


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Similar Content

    • By ©Jimi Wikman
      In the wake of Covid-19 and the increased need for communication for people working from home it comes as no surprise that Microsoft Teams are targeted by malicious people. This week we see both CISA and Abnormal security reporting on targeted phishing campaigns that have affected more than 50.000 users so far.
      With so many starting to work from home due to the Covid-19 situation invites to different Microsoft Teams are very common. This is something that malicious people have started to take advantage of. Since many organizations are still a bit new to the situation of many employees working from home, this also mean that security is not always up to par with the situation.
      The tactic is rather simple, but sadly also effective. One example is that a mail that seems legit are sent out with a link to a document on a Microsoft Team. If the link is clicked the user is asked to login and if that button is clicked, they’re taken to a malicious page which convincingly impersonates the Microsoft Office login page in order to steal their credentials
      Another example include an email link that points to a YouTube page.  From there the users are redirected twice to finally land on another Microsoft Office login phishing site which convincingly impersonates the Microsoft Office login page.
      This is even more effective on mobile according to the articles. This is because the images take up most of the space and because domain links are more difficult to see and therefore identify.  These phishing attempts are however very convincing even on desktop, which makes it more likely that someone will get caught in the phishers net.
      As Microsoft Teams are integrated with Office 365 single sign on it means that if compromised the phisher will have access to other, possibly much more damaging, areas.  This is not the only issues facing office 365 users however and Sway got a bit of heat earlier this week as well.
      Microsoft is not being idle however and this week they patched a nasty subdomain takeover vulnerability in Teams that could have allowed an inside attacker to weaponize a single GIF image and use it to pilfer data from targeted systems and take over all of an organization’s Teams accounts.
      As always, be careful with email links and make sure you vet the urls carefully before submitting any user information online.
    • By ©Jimi Wikman
      On January 14, 2020, Microsoft released software fixes to address 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the vulnerabilities patched were critical weaknesses in Windows CryptoAPI, Windows Remote Desktop Gateway (RD Gateway), and Windows Remote Desktop Client. An attacker could remotely exploit these vulnerabilities to decrypt, modify, or inject data on user connections:
      The updates fixes a serious flaw in the core cryptographic component of widely used Windows 10, Server 2016 and 2019 editions that was discovered and reported to the company by the National Security Agency (NSA) of the United States
      The flaw, dubbed 'NSACrypt' and tracked as CVE-2020-0601, resides in the Crypt32.dll module that contains various 'Certificate and Cryptographic Messaging functions' used by the Windows Crypto API for handling encryption and decryption of data.
      A cyber attacker could exploit CVE-2020-0601 to obtain sensitive information, such as financial information, or run malware on a targeted system; for example:
      A maliciously crafted certificate could appear to be issued for a hostname that did not authorize it, preventing a browser that relies on Windows CryptoAPI from validating its authenticity and issuing warnings. If the certificate impersonates a user’s bank website, their financial information could be exposed. Signed malware can bypass protections (e.g., antivirus) that only run applications with valid signatures. Malicious files, emails, and executables can appear legitimate to unpatched users.  
       
       
       
      Besides Windows CryptoAPI spoofing vulnerability that has been rated 'important' in severity, Microsoft has also patched 48 other vulnerabilities, 8 of which are critical and rest all 40 are important.
      It is strongly suggested that you patch this as soon as possible by heading on to your Windows Settings → Update & Security → Windows Update → clicking 'Check for updates on your PC.
    • By ©Jimi Wikman
      In this video we show you how to create and share a simple poll in your Microsoft Teams channel.
    • By ©Jimi Wikman
      Today on January 15 Microsoft will start  pushing the new Edge browser based on Chromium to Windows 10 users. It will be released to both home and pro windows 10 users. With this we will see a more dominant position for Chromium for web browsers, but we will also get a less cluttered and frustrating browser landscape.
      While reports of the new Chromium based Edge browser have been positive it remain to see what the actual response will be once it become available to the general public. I have a feeling it will be a positive response, especially with the possibility to use Chrome extensions now that the two browser share the same base.
      From a developer and test perspective this should be a great thing as it is most likely one less browser to worry about. It should be easier to develop with out the curse of IE that has plagued us since early 2000. It should also lead to faster support for new development features with less code bases to wait for full support.
      Since Edge now is downloadable also for macOS I will download it later and give it a go. If you want to download it and test it you can do so for Windows, macOS, iOS and Android. If you are on Windows 10 then you can just wait for the windows update to push it to your system, Just be aware that there are some key features still missing, like the browser history and extension sync between devices and the new feature Microsoft call Collections.
      It seems only Business customers can block this update. Microsoft posted about this ina blog post and have released a "blocker toolkit" that is intended for organizations who would like to block the automatic delivery of the Chromium-based Microsoft Edge.
      Overall I think this is a great thing and I keep getting impressed by the way Microsoft has reinvented themselves in a positive way since the "Steve Ballmer Era".
      I will get back to this once I have had the chance to test the new Chromium based Edge browser from Microsoft.
×
×
  • Create New...