Misconfigured Microsoft cloud databases containing 14 years of customer support logs exposed 250 million records to the open internet for 25 days. The account info dates back as far as 2005 and is as recent as December 2019 — and exposes Microsoft customers to phishing and tech scams.
Microsoft said it is in the process of notifying affected customers.
The Comparitech security research team said that it ran across five Elasticsearch servers that had been indexed by search engine BinaryEdge, each with an identical copy of the database. The database contained a wealth of phishing- and scam-ready information in plain text, including: Customer email addresses, IP addresses and physical locations, descriptions of customer service claims and cases, case numbers, resolutions and remarks, and internal notes marked “confidential.”
In short, it’s everything a cybercriminal would need to mount a convincing and large-scale fraud effort, Comparitech researcher Paul Bischoff wrote in a posting on Wednesday.
“The data could be valuable to tech support scammers, in particular,” he said. “Tech support scams entail a scammer contacting users and pretending to be a Microsoft support representative. These types of scams are quite prevalent, and even when scammers don’t have any personal information about their targets, they often impersonate Microsoft staff. Microsoft Windows is, after all, the most popular operating system in the world.”
Other personally identifiable information (PII) – email aliases (i.e., names), contract numbers and, crucially, payment information – was redacted, which Microsoft said is done via an automated privacy-check process.
All five servers were exposed to the open internet, with no password required. Researcher Bob Diachenko, who collaborated with Comparitech on the discovery, notified Microsoft, which locked them down about two days after they were discovered, according to the posting.
Both Microsoft and Comparitech said there was no indication as to whether the insecure data was accessed by additional third parties.
Microsoft Says Exposure was Limited
Microsoft, for its part, released further details in its own blog posting on Wednesday, noting that the data was exposed to anyone with internet access for about 25 days over the holidays.
“Our investigation has determined that a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data,” the security team wrote.
It added, “Upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access. This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services.”
Microsoft added that it has begun notifying affected customers – of which there are presumably millions.
“Microsoft customers and Windows users should be on the lookout for…scams via phone and email,” Comparitech’s Bischoff said. “Remember that Microsoft never proactively reaches out to users to solve their tech problems—users must approach Microsoft for help first. Microsoft employees will not ask for your password or request that you install remote desktop applications like TeamViewer. These are common tactics among tech scammers.”
At least one researcher questioned the security and privacy protections that Microsoft had in place.
“This incident shows some concerning issues with the way data security was handled,” Fausto Oliveira, principal security architect at Acceptto, told Threatpost. “These are the more worrying facts that arise from this incident: Access to the data was not protected using (at least) username and passwords, although for this level of confidentiality I would expect it to be protected using multifactor aithentication; not all data was encrypted; data about a customer is being retained well past what I would think reasonable — 14 years’ worth of support data strikes as beyond a sensible data retention interval; from the disclosure, the threat surface was exposed for 25 days, although Microsoft found no evidence of malicious use, it is quite a long interval of exposure; and poor governance. If the correct policies and processes where enforced effectively, this type of event should be near impossible to occur.”
Security Deja-Vu
Microsoft tech support has been in the cyber-spotlight before, after the computing giant announced a breach stemming from the compromise of a support agent’s credentials. This enabled individuals outside Microsoft to access the victims’ email account-related information – including email addresses, folder names, email subject lines and recipient email addresses.
Meanwhile, cloud database misconfigurations – even by tech giants and cloud specialists – have become a bit of an epidemic. Adobe for instance in October exposed subscription records for nearly 7.5 million Adobe Creative Cloud users. The service offers cloud-based access to popular Adobe products such as Photoshop, Lightroom, Illustrator, InDesign, Premiere Pro, Audition, After Effects and others.
“The most recent Microsoft data breach adds to almost weekly reports – at least since mid-2019 – of similar occurrences in large companies all over the world,” Rui Lopes, engineering and technical support director at Panda Security, told Threatpost. “What’s more, we know more than 50 percent of these incidents are caused by deliberate malicious attacks rather than human error – and they cost up to 27 percent more for that reason. Companies in any industry and of any size should build and implement solid data control strategies, allowing them not only to avoid direct financial losses but also the costly impact on reputation and client trust.”
The Verizon 2019 Data Breach Incident Report (DBIR) in May found that misconfiguration of cloud-based file storage accounted for a fifth (21 percent) of data exposures in the previous 12 months that were caused by errors. In all, cloud storage mishaps exposed a whopping 60 million records in the DBIR dataset.
“On a positive note, I want to highlight that the Microsoft staff reacted in a rapid manner once they were warned about the incident and that their disclosure process worked,” Oliveira told Threatpost. “The security controls that Microsoft has selected after the incident are all reasonable, however, for an organization of this size and importance, I would expect them to be already in place, especially when dealing with customer data.”
This post was updated at 12:45 ET on Jan. 22, 2020 to incorporate third-party commentary and to update the exposure window.
Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.