More than 250 million customer service and support records were exposed by Microsoft over a two-day period in December 2019 due to a server misconfiguration. Since the records weren’t secured with any authentication measures, anyone with an internet connection and a browser could have accessed the data.
The same set of 250 million records was stored on five Elasticsearch servers, which were spotted by Comparitech’s security researcher Bob Diachenko and his team on December 29th. They immediately notified Microsoft, which secured the data and started an investigation within two days.
Microsoft apologized for the incident and was quick to assure users that it had detected no malicious use of the leaky servers. The tech giant has also been in the news of late for other reasons, notably a severe vulnerability in Windows and a zero-day flaw in Internet Explorer.
What data?
The records comprised logs of exchanges between Microsoft’s customer support and its customers, spanning a 14-year period from 2005 to 2019.
While most of the sensitive information that was personally identifiable, such as payment information, was redacted, there were still a lot of records that were in plain-text form. The latter included IP addresses, locations, and internal notes that were marked “confidential”, customer email addresses, descriptions of customer service support claims and cases, Microsoft support agent emails, case numbers, resolutions, and remarks.
The cause?
The investigation revealed that the culprit was a change in the database’s network security group, which contained misconfigured security rules.
Such misconfigurations are not a rare occurrence, and we recently reported on a data leak that exposed birth certificate applications. Indeed, Microsoft echoed this very sentiment in a blog addressing its customers:
“Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available.”
Another data leak involving a misconfigured Elasticsearch server affected nearly all of Ecuador’s population a few months ago.