A new report reveals that 250 million Microsoft customer records, spanning 14 years, have been exposed online without password protection.Microsoft has been in the news for, mostly, the wrong reasons recently. There is the Internet Explorer zero-day vulnerability that Microsoft hasn't issued a patch for, despite it being actively exploited. That came just days after the U.S. Government issued a critical Windows 10 update now alert concerning the "extraordinarily serious" curveball crypto vulnerability. Now a newly published report, has revealed that 250 million Microsoft customer records, spanning an incredible 14 years in all, have been exposed online in a database with no password protection.
What Microsoft customer records were exposed online, and where did they come from?
Paul Bischoff, a privacy advocate and editor at Comparitech, has revealed how an investigation by the Comparitech security research team uncovered no less than five servers containing the same set of 250 million records. Those records were customer service and support logs detailing conversations between Microsoft support agents and customers from across the world. Incredibly, the unsecured Elasticsearch servers contained records spanning a period from 2005 right through to December 2019. When I say unsecured, I mean that the data was accessible to anyone with a web browser who stumbled across the databases: no authentication at all was required to access them, according to the Comparitech report.
The nature of the data appears to be that much of the personally identifiable information was redacted. However, the researchers say that many contained plain text data including customer email addresses, IP addresses, geographical locations, descriptions of the customer service and support claims and cases, Microsoft support agent emails, case numbers and resolutions, and internal notes that had been marked as confidential. This may seem like no big deal in the overall scheme of things, but when you consider that Microsoft support scams are pretty rampant, it doesn't take a genius to work out how valuable such information would be to the fraudsters carrying out such attacks.
How was the Microsoft data exposure discovered, and how long did it take to lock down?On December 28, 2019, the databases in question were discovered and indexed by threat intelligence search engine BinaryEdge. The following day, Bob Diachenko, who headed up the Comparitech security research team, spotted them and notified Microsoft. "I immediately reported this to Microsoft, and within 24 hours, all servers were secured," Diachenko said. Considering the time of year, this was a remarkably quick response. That said, it was also a remarkably serious leak.
Eric Doerr, general manager at the Microsoft Security Response Center, said: "We’re thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyze data, and notify customers as appropriate."
It's not known at this point if the databases were accessed by any else during the time that they were exposed online.In a Microsoft Security Response Center posting dated January 22, Microsoft said that "the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable."
That posting also confirmed that the exposure of the database started on December 5, 2019, as the result of misconfigured security rules, and was remediated on December 31. The statement included an apology from Microsoft: "We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence."
It’s time for governments to start dropping the hammer on very preventable data breachesI asked Ian Thornton-Trump, CISO at Cyjax and co-host of the BeerConOne virtual security conference, for his thoughts about this incident. "This is massive, and not unexpected to be honest," he said, "it just shows how difficult it is for anyone, even a giant tech company, to manage data and storage correctly." Given that there has already been interest from European data protection agencies regarding how Microsoft collects data from Windows 10 users, it wouldn't surprise me if there are now further investigations with a view to EU General Data Protection Regulation (GDPR) penalties. "It kind of demoralizes my soul when even the vendor can’t seem to get it right," Thornton-Trump says, "and why the vendor is storing such ancient records in the first place? I think it’s time for governments to start dropping the hammer on these very preventable data breaches."
As long as these two terms continue to be misunderstood or interchanged for one another, businesses will struggle to protect the privacy of consumers online. Security software may address the challenge of protecting your devices from viruses and intruders, but it doesn’t provide control over how your information is shared online.
Updated January 22, 2020
This article was updated to include comments from, and a link to, a Microsoft statement