Microsoft inadvertently left hundreds of millions of customer service and support requests exposed on several servers without password protection from Dec. 5 to Dec. 31, 2019, the company’s Security Response Center wrote on a blog post on Wednesday.
Bob Diachenko of Security Discovery, the researcher who originally spotted the issue, told ZDNet that Microsoft left over 250 million user analytics records exposed on five Elastisearch servers that apparently mirrored each other. He added that the company promptly fixed the issue, despite it being New Year’s Eve.
Microsoft’s security team wrote in the blog post that the company works to ensure “data stored in the support case analytics database is redacted using automated tools to remove personal information” and that the “vast majority” of the 250 million entries were properly redacted. However, in some cases where the data was originally entered in a format the system didn’t recognize, the email addresses may not have been redacted (Microsoft used the example of an email address entered as “XYZ @contoso com” vs the proper format, “XYZ@contoso.com”).
“Misconfigurations are unfortunately a common error across the industry,” the Security Response Center wrote. “We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database.” The company wrote that it had no evidence that malicious parties accessed the information.
Security firm Comparitech wrote on its web site that the exposed data spanned 14 years of customer support records and that in addition to email addresses, other data that was exposed included IP addresses, location, and details of customer support cases like communications between representatives and users. The firm noted that while the information may be relatively mundane, it could be of use to scammers that pose as support agents to steal money from unwary victims. It also noted that Microsoft has faced breaches before, such as a 2013 incident involving its bug-tracking system and a compromised support agent account in 2019 that may have allowed attackers limited glimpses into Outlook.com addresses including email subject lines but not their contents.
Microsoft added in the blog post that it is working on several measures to increase security after the incident. Those include “auditing established network security rules for internal resources,” expanding detection and reporting of security rule misconfigurations, and redacting more information from records in the future.