Microsoft Has Failed to Protect 250 Million Customer Support Logs

Microsoft Leaks 250 Million Customer Support Logs

It may not look like it, but big tech giants never sit still. Sometimes, the changes are invisible to the millions of users, but behind the scenes, IT companies constantly update and tweak their internal procedures to ensure a streamlined, smooth-running operation. We mustn't forget, however, that implementing even minor tweaks is a complicated process, and mistakes can happen. Unfortunately, Microsoft showed us yesterday that when things do go wrong, the consequences are often pretty terrifying.

It all started on December 28, 2019, when threat intelligence search engine BinaryEdge indexed a cluster of five Elasticsearch servers, which all held an identical collection of 250 million records. Within a day, security researcher Bob Diachenko discovered the servers and realized that they weren't protected by any form of authentication. Diachenko teamed up with researchers from Comparitech who helped him come to the conclusion that the database belonged to Microsoft. The maker of the world's most popular operating system was notified immediately, and a day later, the servers were already offline. After securing the data, Microsoft's Security Response Team started an investigation, and yesterday, they told everybody what happened.

Microsoft leaked millions of support logs

The 250 million records were actually support logs dated between 2005 and December 2019. It's a vast collection of data spanning a huge time frame. Fortunately, the people who have had to resort to Microsoft's customer service team during that period will be happy to learn that most of the entries contained no personally identifiable information. Asking Microsoft for help usually involves presenting your email address and, on occasions, other contact details, but the Redmond-based giant has actually thought about its customers' privacy and has implemented mechanisms that automatically redact personal information before storing it on a server. These mechanisms are not infallible, though.

Information entered in an unrecognized format would bypass the anonymization procedure, which means that email addresses with spaces in them, for example, would not be redacted. Microsoft's security experts said that although they've seen no evidence of "malicious use" of the data, they are in the process of informing users that could be affected.

The fact that the database exposed little personal data is good news, but the leak should not be underestimated. In addition to the mostly obfuscated personal information, the Elasticsearch servers contained users' IP addresses and location information, as well as data related to the status and nature of the support cases they have opened with Microsoft. The email addresses of the Microsoft support agents were stored in plain text as well. All in all, there was enough information for a motivated hacker to launch a targeted attack that could have had pretty disastrous consequences.

How did the data end up exposed, and how did Microsoft handle the issue?

Bob Diachenko was impressed with Microsoft's Security Response Team and the quick reaction in light of the fact that the notification was sent hours before New Year's Eve. The OS vendor also deserves a pat on the back for the transparency with which it described the events leading up to the incident.

On December 5, Microsoft's backend team made some changes to the network security group that hosted the database and failed to notice that there was a configuration mistake in the update. In yesterday's report, Ann Johnson, Corporate Vice President of Microsoft's Cybersecurity Solutions Group and Eric Doerr, General Manager of Microsoft's Security Response Center, pointed out that they have mechanisms in place which would usually prevent data leaks caused by this sort of misconfiguration error. For this particular database, however, they were not turned on.

All in all, the leak was caused by an unfortunate chain of events, and it ultimately failed to cause any major damage, which means that we can all breathe a sigh of relief. We mustn't underestimate the danger, though.

Microsoft said that it's taken a number of precautions to ensure that this doesn't happen again, and we reckon that other companies that process users' personal data should follow suit. The fact of the matter is, information leaks caused by misconfigured Elasticsearch databases are becoming an everyday occurrence, and people don't seem to take notice. This is worrying because while Microsoft does anonymize users' personal information (at least when it's entered into the support system), others don't do that.

January 23, 2020
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.