Microsoft exposes 250m customer records

Read time 4min 00sec

Over the New Year, software giant Microsoft exposed nearly 250 million customer service and support (CSS) records on the Web.

This is according to UK-based firm Comparitech, which says the records contained logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019.

All of the data was left accessible to anyone with a Web browser, with no password or other authentication needed, the firm says.

The Comparitech security research team led by Bob Diachenko uncovered five Elasticsearch servers, each of which contained an apparently identical set of the 250 million records.

Diachenko immediately notified Microsoft upon discovering the exposed data, and Microsoft took swift action to secure it.

“We’re thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyse data and notify customers as appropriate,” says Eric Doerr, general manager of Microsoft.

Timeline of the exposure

Comparitech says in total, the data was exposed for about two days before it alerted Microsoft and the records were secured.

  • 28 December 2019: The databases were indexed by search engine BinaryEdge.
  • 29 December 2019: Diachenko discovered the databases and immediately notified Microsoft.
  • 30 and 31 December 2019: Microsoft secured the servers and data. Diachenko and Microsoft continued the investigation and remediation process.
  • 21 January 2020: Microsoft disclosed additional details about the exposure as a result of the investigation.

“I immediately reported this to Microsoft and within 24 hours all servers were secured,” Diachenko says.

“I applaud the Microsoft support team for responsiveness and quick turnaround on this despite [it being] New Year’s Eve. We do not know if any other unauthorised parties accessed the database during that time.”

Diachenko explains that most of the personally identifiable information – e-mail aliases, contract numbers and payment information – was redacted.

However, he points out that many records contained plain text data, including but not limited to customer e-mail addresses, IP addresses, locations, descriptions of CSS claims and cases, Microsoft support agent e-mails, case numbers, resolutions and internal notes marked as “confidential”.

Comparitech notes that even though most personally identifiable information was redacted from the records, the dangers of this exposure should not be underestimated.

The data could be valuable to tech support scammers, in particular, it says.

“Tech support scams entail a scammer contacting users and pretending to be a Microsoft support representative. These types of scams are quite prevalent, and even when scammers don’t have any personal information about their targets, they often impersonate Microsoft staff. Microsoft Windows is, after all, the most popular operating system in the world,” the firm says.

It points out that with detailed logs and case information in hand, scammers stand a better chance of succeeding against their targets.

“If scammers obtained the data before it was secured, they could exploit it by impersonating a real Microsoft employee and referring to a real case number. From there, they could phish for sensitive information or hijack user devices.

“Microsoft customers and Windows users should be on the lookout for such scams via phone and e-mail. Remember that Microsoft never proactively reaches out to users to solve their tech problems – users must approach Microsoft for help first. Microsoft employees will not ask for your password or request that you install remote desktop applications like TeamViewer. These are common tactics among tech scammers,” Comparitech says.

Malicious actors

Ekaterina Khrustaleva, COO of Web security company ImmuniWeb, comments: “Assuming the data was not exploited by malicious actors as per the official statement, there is not much practical risk so far.

“However, it is impossible to say whether the information from this server, or other presumably existing servers, has ever been detected and stolen by cyber criminals.”

Khrustaleva says the absence of personally identifiable information in the dump is irrelevant here, given that technical support logs frequently expose VIP clients, their internal systems and network configurations, and even passwords.

“The data is a gold mine for patient criminals aiming to breach large organisations and governments,” she notes.

“Worse, many large companies and not only Microsoft have lost visibility of their external attack surface, exposing their clients and partners to significant risks. We will likely see a multitude of similar incidents in 2020.”

See also