Microsoft has admitted that between December 5th-31st 2019, a mis-configuration of the security rules for (what should have been) an internal customer support database left it exposed for anyone to access – no password required.
According to researcher Bob Diachenko, who discovered the database was accessible to anyone capable of running a web browser, the nearly 250 million Customer Service and Support (CSS) records, contained logs of conversations between Microsoft’s support team and customers around the world.
The data, which covers a time period of 14 years from 2005 to December 2019, was found on five Elasticsearch servers, each of which contained what appears to have been an identical copy of the 250 million database records.
According to a blog post by Microsoft, the “vast majority of records” had been automatically redacted to remove some personal informations.
However, Diachenko reports that many records were found to contain the following sensitive information:
- Customer email addresses
- IP addresses
- Locations
- Descriptions of CSS claims and cases
- Microsoft support agent emails
- Case numbers, resolutions, and remarks
- Internal notes marked as “confidential”
Such information could clearly be useful to a scammer posing as a genuine Microsoft support technician.
Microsoft is clearly embarrassed by the goof:
“Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available.”
“We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence. We also want to thank the researcher, Bob Diachenko, for working closely with us so that we were able to quickly fix this mis-configuration, investigate the situation, and begin notifying customers as appropriate.”
Microsoft says its investigation into the security breach has “found no malicious use” of the data, but that it has begun to notify customers whose data was present in the unsecured database.