250 Million Microsoft Customer Records Exposed Online
A recent data reveals that 250 million Microsoft customer records, spanning 14 years, your technical query, along with some personally information have been exposed online without password protection
Microsoft today admitted a security incident that exposed nearly 250 million "Customer Service and Support" (CSS) records on the Internet due to a misconfigured server containing logs of conversations between its support team and customers.
There is the Internet Explorer zero-day vulnerability that Microsoft hasn't issued a patch for, despite it being actively exploited. That came just days after the U.S. Government issued a critical Windows 10 update now alert concerning the "extraordinarily serious" curveball crypto vulnerability. Now a newly published report, has revealed that 250 million Microsoft customer records, spanning an incredible 14 years in all, have been exposed online in a database with no password protection.
According to Bob Diachenko, a cybersecurity researcher who spotted the unprotected database and reported to Microsoft, the logs contained records spanning from 2005 right through to December 2019.
In a blog post, Microsoft confirmed that due to misconfigured security rules added to the server in question on December 5, 2019, enabled exposure of the data, which remained the same until engineers remediated the configuration on December 31, 2019.
Microsoft also said that the database was redacted using automated tools to remove the personally identifiable information of most customers, except in some scenarios where the information was not the standard format.
"Our investigation confirmed that the vast majority of records were cleared of personal information in accordance with our standard practices," Microsoft said.
However, according to Diachenko, many records in the leaked database contained readable data on customers, including their:
* email addresses,
* IP addresses,
* Locations,
* Descriptions of CSS claims and cases,
* Microsoft support agent emails,
* Case numbers, resolutions, and remarks,
* Internal notes marked as "confidential."
"This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services," Microsoft said.
By having real sensitive case information and email addresses of affected customers in hand, the leaked data could be abused by tech-support scammers to trick users into paying for non-existent computer problems by impersonating Microsoft support representatives.
"Worse, many large companies and not only Microsoft have lost visibility of their external attack surface, exposing their clients and partners to significant risks. We will likely see a multitude of similar incidents in 2020."
KnowBe4's Data-Driven Defense Evangelist Roger Grimes also shared his comment and experience with The Hacker News, saying:
"Having worked for Microsoft for 15 years, 11 years as a full-time employee, I've seen firsthand how much they try to fight scenarios like this. There are multiple layers of controls and education designed to stop it from happening. And it shows you how hard it is to prevent it 100% of the time. Nothing is perfect. Mistakes and leaks happen. Every organization has overly permissive permissions. Every! It's just a matter of if someone outside the organization discovers it or if someone takes advantage of it."
As a result of this incident, the company said it began notifying impacted customers whose data was present in the exposed Customer Service and Support database.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.