More than 250 million customer service and support records were exposed by Microsoft over a two-day period in December 2019 due to a server misconfiguration.
The records weren’t secured with any authentication measures. The same set of 250 million records was stored on five Elasticsearch servers, which were spotted by Comparitech’s security researcher Bob Diachenko and his team on December 29th. They immediately notified Microsoft, which secured the data and started an investigation within two days.
Microsoft apologized for the incident and was quick to assure users that it had detected no malicious use of the leaky servers. The tech giant has also been in the news of late for other reasons, notably a severe vulnerability in Windows and a zero-day flaw in Internet Explorer.
The records comprised logs of exchanges between Microsoft’s customer support and its customers, spanning a 14- year period from 2005 to 2019.
While most of the sensitive information that was personally identifiable, such as payment information, was redacted, there were still a lot of records that were in plain-text form. The latter included IP addresses, locations, and internal notes which were marked “confidential”, customer email addresses, descriptions of customer service support claims and cases, Microsoft support agent emails, case numbers, resolutions, and remarks.
Microsoft's investigation revealed that the culprit was a change in the database’s network security group, which contained misconfigured security rules.
According to Microsoft:
“Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available.”