Tips & Tricks

[Tips & Tricks][bigposts]


[Mobile Tips][twocolumns]

Microsoft Exposed 250M Customer Service records to the Web for 25 days

Microsoft Exposed 250M Customer Service records to the Web for 25 days

Microsoft Exposed 250M Customer Service records to the Web

The Microsoft cloud databases which containing Fourteen years of customer support logs exposed twenty-five million records to the open internet for twenty-five days. The account info dates back as far as the year 2005 and is as recent as December 2k19 and exposes Microsoft customers to phishing and tech scams.

In a blog post on Microsft, the OS maker has said that an internal customer support of the database that was storing anonymized user analytics was accidentally exposed online without the proper protections between December 5 and December 31. The database was spotted and also reported to the Microsoft by the Bob Diachenko who was a security researcher with the Security Discovery.

The leaky customer support database consisted of the cluster of 5 Elasticsearch servers, which a technology used to be simplify the search operations. All the 5 servers stored the same data and appearing to be mirrors of the each other.

Diachenko said that the Microsoft has secured the exposed database on the same day he reported the issue to the OS maker and despite being the New Year's Eve. He said that he have been in a touch with the Microsoft team helping and supporting them to properly investigate it.

The servers that contained the roughly 250 million entries and with the information such as the email addresses, the IP addresses, and also the support case details. Microsoft said that most of the records did not contain any personal user information.

Microsoft has said then as part of Microsoft standard operating procedures, the data stored in the support case analytics database is redacted using automated tools to remove the personal informations.

However, in the cases where users filed customer support requests using the non standard formatted data such as the name surname, the @ email domain com, instead of "") the data was not detected and redacted and also remained in the exposed database.

Now Microsoft said it began to notifying the impacted customers and although it also added that it found no malicious use of the data. Microsoft has blamed the accidental server exposure on ther misconfigured Azure security rules it deployed on December 5 and which is now has been fixed.

No comments:

Post a Comment