[German]There was a privacy incident at Microsoft last year. At the end of last year, Microsoft briefly disclosed call center data of almost 250 million customers via several unsecured cloud servers.
Secretly, I’ve been waiting a long time for something like this, it was only a matter of time before something like this happened to an admin at Microsoft. It was just through this tweet that I became aware of the issue.
[NEW REPORT] Misconfigurations happen – no matter how big or secured a company is. Here is my new report. 250M+ million Microsoft’s Customer Service and Support (CSS) records were exposed on the web. https://t.co/C1Ll0nT8vz
— Bob Diachenko (@MayhemDayOne) January 22, 2020
According to this article, security researcher Bob Diachenko discovered the databases on December 28, 2019, one day after the indexing of databases on five Elasticsearch servers by the BinaryEdge search engine.
Each of these databases contained a seemingly identical pool of Microsoft Customer Service and Support (CSS) (Support) records that spanned a period of 14 years. The records contained telephone conversations between customer service representatives and customers from 2005 through December 2019, and the databases containing 250 million records were all password-free and completely unprotected, according to Comparitech. The records contained the following data in text format, among others.
- Clients’ email addresses
- IP addresses, locations
- descriptions of CSS claims and cases
- Microsoft Support Agent emails
- Case numbers, resolutions and comments
- Internal notes marked as “confidential
This not only posed a phishing risk, but also a valuable data collection tool for technical support fraudsters who pose as call center agents for Microsoft and other companies to install malware on victims’ computers and steal financial data.
Microsoft customers and Windows users should be wary of such phone and email scams – I’ve warned about them several times on the blog. Always remember that Microsoft never proactively approaches users to solve their technical problems – users must first contact Microsoft for help. Microsoft employees will not ask users for their password or ask them to install remote desktop applications like TeamViewer. These are common tactics among technical fraudsters.
The problem with leaked data: “With detailed logs and case information in hand, fraudsters have a better chance of succeeding against their targets,” explained Comparitech’s Paul Bischoff. “If fraudsters received the data before the backup, they can exploit it by impersonating a real Microsoft employee and referring to a real case number. From there, they could fish for confidential information or hijack user devices.”
After Diachenko informed the company on December 29, they backed up all the data until December 31. However, Microsoft was praised by security researchers for acting quickly to lock down the exposed servers.
Microsoft’s Security Response Center has this article about that incident. Microsoft’s investigation has determined that a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data. Upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access. This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services.
Microsoft has emailed customers to inform them of a security vulnerability that exposed customer data to the Internet. Summary: an #Azure NSG rule was configured wrong. This is why I advocate that security should be done by people who know security + governance. pic.twitter.com/ILC7OAZZMd
— Aidan Finn (@joe_elway) January 22, 2020
According to the tweet above, Microsoft has emailed customers to inform them of the security incident. In 2013, hackers broke into the company’s secret database to track errors in its software. This break-in contained no user information and was never officially confirmed to the public. And LinkedIn, which was taken over by Microsoft, fell victim to a hack – for example, my email was captured even though I didn’t have an account with LinkedIn (this was a hack because my data was passed on to buying companies as a video trainer, DSGVO didn’t exist back then, so LinkedIn is a No Go for me).