As many as 250 million Microsoft customer records have been exposed, being wide open to anyone with a web browser, and not requiring a password.
This comes on the heels of the NSA announcing a critical security flaw in Windows.
The wide open records were discovered by the Comparitech Security team. What’s more, they discovered that there were five identical sets of those 250million customer records, all wide open, on five different ElasticSearch servers.
“Waaaait a minute,” you may be saying, “why does the name ElasticSearch sound familiar?”
|Get notified of new Internet Patrol articles for free!
Well, if you are a regular reader of the Internet Patrol, then you recognize it from the article that we wrote last month about the People Data Labs breach which probably included your data.
In that case, as in this, the ElasticSearch server holding the People Data Labs records – all 4billion of them – was also wide open. As we wrote, “all that data was completely open and unsecured – no password or other authentication was needed to access all of that data.”
Just like the Microsoft records, also stored on ElasticSearch servers. In not duplicate, not triplicate, but quintuplicate, on five different ElasticSearch servers.
The exposed Microsoft customer records, spanning 14 years (from 2005 until the very end of 2019), include both personal information and records of conversations between Microsoft customer support representatives and customers from around the world.
The exposed personal information includes customer email addresses, IP addresses, and locations, of which some, but not all, was redacted. The records also include logs of the interactions between Microsoft support agents and customers, as well as descriptions of and information about those support interactions, and internal confidential notes.
The information about support interactions is particularly worrisome because it gives ammunition to the “Microsoft support” scammers, who, with that information, will be able to make themselves indistinguishable from the real thing. They will be able to reference case numbers, dates, conversations, and the details of a customer’s devices and issues, making it impossible for someone to recognize that they are talking with a scammer – unless they are aware that Microsoft tech support will never spontaneously call a customer. So if you get a call “from Microsoft support”, hang up!
According to Bob Diachenko, who led the Comparitech team that discovered the exposure, Microsoft immediately took measures to address the situation as soon as Diachenko reached out to them.
Microsoft says in a security post that “We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence. We also want to thank the researcher, Bob Diachenko, for working closely with us so that we were able to quickly fix this misconfiguration, investigate the situation, and begin notifying customers as appropriate.”
It is unknown at this time how much of the data has been accessed, not that there is much that you can do about it anyways, other than to not fall for any scam calls.
No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free? Thank you!
|Get notified of new Internet Patrol articles!