Misconfigured Microsoft database exposed over 250m customer service records

Security researcher Bob Diachenko recently discovered a misconfigured Microsoft database that contained over 250 million records pertaining to conversations between customers and Microsoft support agents. The database could be accessed by anyone with an Internet connection.

The misconfigured Microsoft database was discovered by Diachenko on 29th December, a day after it was indexed by the BinaryEdge search engine that scans for public Internet data on the web. Upon being informed about the exposure, Microsoft closed public access to the database by 31st December.

The 250 million records stored in the ElasticSearch database included a wealth of information such as email addresses of customers, IP addresses, customers' locations, confidential internal notes, case numbers, resolutions and remarks, Microsoft support agent emails, and descriptions of CSS claims and cases.

However, the database did not expose any financial information of Microsoft's customers across the world as details such as email aliases, payment information, and contract numbers were redacted.

"Our investigation has determined that a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data. Upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorised access," said Microsoft in a blog post, emphasising that the misconfiguration was restricted to this particular database.

"As part of Microsoft’s standard operating procedures, data stored in the support case analytics database is redacted using automated tools to remove personal information. Our investigation confirmed that the vast majority of records were cleared of personal information in accordance with our standard practices.

"We want to sincerely apologise and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence. We also want to thank the researcher, Bob Diachenko, for working closely with us so that we were able to quickly fix this misconfiguration, investigate the situation, and begin notifying customers as appropriate," said Ann Johnson, Corporate Vice President of Microsoft's Cybersecurity Solutions Group, and Eric Doerr, GM of Microsoft's Security Response Center.

"Kudos to MS Security Response team - I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve," said Diachenko on Twitter after the exposure was quickly resolved by Microsoft.

Commenting on the exposure, Ekaterina Khrustaleva, COO of ImmuniWeb, told TEISS that even though the data was not exploited by malicious actors as per Microsoft's official statement, it is impossible to say whether the information from this server or other presumably existing servers, has ever been detected and stolen by cyber criminals.

"The absence of PII* in the dump is irrelevant here, given that technical support logs frequently expose VIP clients, their internal systems and network configurations, and even passwords. The data is a gold mine for patient criminals aiming to breach large organisations and governments," she added.

ALSO READ: Personal & financial data of 20m Ecuadorian citizens exposed via unsecured database

MORE ABOUT: