While most people are celebrating the start of the new year, Microsoft’s security team is working overtime to solve a huge security vulnerability. On January 23rd, 2020, the company disclosed a database error that temporarily made approximately 250 million customer service and support records accessible to anyone using a web browser. Security researchers discovered the vulnerability on December 29, 2019. Five servers storing customer support analytics were accidentally exposed online. Microsoft quickly resolved the issue two days later. It said that this risk was caused by a “configuration error” in one of the internal customer support databases. The company claims to have found no evidence of “malicious use.”
The servers include a log of conversations back to 2005 between Microsoft support staff and customers from around the world. According to researchers, the database is not password-protected. Although Microsoft said it has deleted “most of” personal data, researchers noticed that some information such as emails (“name surname @ email domain com” instead of “firstname.lastname@example.org”) and IP addresses are stored in plain text format. If someone had access to the logs, they could have used them to more easily emulate a company’s support staff in a phishing scheme.
Microsoft said they have already notified impacted customers although they believe there is no malicious use of the data. In addition, Microsoft blamed and fixed the accidental server exposure on misconfigured Azure security rules deployed on Dec. 5. For Microsoft, this is its second major data security incident related to its customer support system. In April 2019, the company disclosed that hackers had used customer support representatives’ credentials to compromise the email accounts of some of its users. In the end, the problem in both cases was that internal support systems had access to user information at almost unprecedented levels, making them attractive targets for hackers.
Microsoft claimed that they are now having advanced measures after the leak:
- Auditing the established network security rules for internal resources.
- Expanding the scope of the mechanisms that detect security rule misconfigurations.
- Adding additional alerting to service teams when security rule misconfigurations are detected.
- Implementing additional redaction automation.
Contact LIFARS Immediately if Your
Organization was Hit with a Data Breach