Microsoft accidentally exposed nearly 250 million Customer Service and Support records on the web. The records contained logs of conversations between Microsoft and customers from all over the world. This data is spanning a 14-year period from 2005 to December 2019. All of the data was left accessible to anyone with a web browser, with no password or other authentication needed.
The Comparitech security research team led by Bob Diachenko uncovered five Elasticsearch servers, each of which contained an apparently identical set of the 250 million records. Diachenko immediately notified Microsoft upon discovering the exposed data, and Microsoft took swift action to secure it.
Despite swift action from Microsoft the data was exposed for 25 days during the holidays. The information exposed includes Customer email addresses, IP addresses and physical locations, descriptions of customer service claims and cases, case numbers, resolutions and remarks, and internal notes marked "confidential". This information, which is in plain text, is prety much all you need for a full scale fraud attack as Paul Bischoff explain in his post.
“The data could be valuable to tech support scammers, in particular,” he said. “Tech support scams entail a scammer contacting users and pretending to be a Microsoft support representative. These types of scams are quite prevalent, and even when scammers don’t have any personal information about their targets, they often impersonate Microsoft staff. Microsoft Windows is, after all, the most popular operating system in the world.”
Microsoft has begun reaching out to the millions of customers affected and they urge users to stay alert should anyone contact them under the guise of being a representative from Microsoft in their official response to the incident.
“Microsoft customers and Windows users should be on the lookout for…scams via phone and email,” Comparitech’s Bischoff said. “Remember that Microsoft never proactively reaches out to users to solve their tech problems—users must approach Microsoft for help first. Microsoft employees will not ask for your password or request that you install remote desktop applications like TeamViewer. These are common tactics among tech scammers.”
“This incident shows some concerning issues with the way data security was handled. These are the more worrying facts that arise from this incident: Access to the data was not protected using (at least) username and passwords, although for this level of confidentiality I would expect it to be protected using multifactor authentication.
Not all data was encrypted and data about a customer is being retained well past what I would think reasonable — 14 years’ worth of support data strikes as beyond a sensible data retention interval.
from the disclosure, the threat surface was exposed for 25 days, although Microsoft found no evidence of malicious use, it is quite a long interval of exposure; and poor governance. If the correct policies and processes where enforced effectively, this type of event should be near impossible to occur.”