Microsoft has admitted to a security blunder of misconfiguring a customer service and support database that exposed 14 years of customer service and support data dating back to 2005, accessible to anyone with a web browser requiring no authentication at all.
As per Microsoft’s blog, on December 5, 2019, a change was made to the said databases’ network security group. It was later found that appropriate measures were not taken to verify the Azure security rules and this misconfiguration further led to the data exposure. The exposure was discovered by a security research team at Comparitech led by Bob Diachenko. He uncovered a total of five Elastic Servers containing 250 million records including logs of communication between Microsoft’s support engineers and its customers.
Diachenko discovered these databases on December 29, 2019, and understanding the critical nature of the security hole quickly reported it to Microsoft. Considering the Holiday Season, he wasn’t sure if the vulnerability could be plugged immediately, but Microsoft secured all the servers and corresponding data by the New Year’s Eve.
Diachenko’s research says that personally identifiable information (PII) of clients was in most cases obscured, but some of these records contained plain text data, such as:
- Customer email address
- IP address
- Descriptions of Customer Service and Support query
- Attending Microsoft support agent email
- Case number, resolution given, remarks entered, and
- Internal notes marked as “confidential”
Microsoft said, “We want to sincerely apologize and reassure our customers that we are taking it (database misconfiguration) seriously and working diligently to learn and take action to prevent any future reoccurrence. We also want to thank the researcher, Bob Diachenko, for working closely with us so that we were able to quickly fix this misconfiguration, investigate the situation, and begin notifying customers as appropriate.”
In December 2019, Diachenko discovered an unprotected public database containing over 267 million Facebook user IDs, names, and contact details that were left online without password protection. The incident occurred due to illegal scraping operation or Facebook API abuse by cybercriminals in Vietnam.
Diachenko stated that 267,140,436 records were exposed in the incident, which could be used by attackers to launch SMS spam and phishing campaigns. The exposed data was also posted on a hacker forum for download.