As many as 250 million Microsoft customer records have been exposed, being wide open to anyone with a web browser, and not requiring a password.
This comes on the heels of the NSA announcing a critical security flaw in Windows.
The wide open records were discovered by the Comparitech Security team. What’s more, they discovered that there were five identical sets of those 250million customer records, all wide open, on five different ElasticSearch servers.
“Waaaait a minute,” you may be saying, “why does the name ElasticSearch sound familiar?”
Well, if you are a regular reader of the Internet Patrol, then you recognize it from the article that we wrote last month about the People Data Labs breach which probably included your data.
In that case, as in this, the ElasticSearch server holding the People Data Labs records – all 4billion of them – was also wide open. As we wrote, “all that data was completely open and unsecured – no password or other authentication was needed to access all of that data.”
Just like the Microsoft records, also stored on ElasticSearch servers. In not duplicate, not triplicate, but quintuplicate, on five different ElasticSearch servers.
The exposed Microsoft customer records, spanning 14 years (from 2005 until the very end of 2019), include both personal information and records of conversations between Microsoft customer support representatives and customers from around the world.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
The exposed personal information includes customer email addresses, IP addresses, and locations, of which some, but not all, was redacted. The records also include logs of the interactions between Microsoft support agents and customers, as well as descriptions of and information about those support interactions, and internal confidential notes.
The information about support interactions is particularly worrisome because it gives ammunition to the “Microsoft support” scammers, who, with that information, will be able to make themselves indistinguishable from the real thing. They will be able to reference case numbers, dates, conversations, and the details of a customer’s devices and issues, making it impossible for someone to recognize that they are talking with a scammer – unless they are aware that Microsoft tech support will never spontaneously call a customer. So if you get a call “from Microsoft support”, hang up!
According to Bob Diachenko, who led the Comparitech team that discovered the exposure, Microsoft immediately took measures to address the situation as soon as Diachenko reached out to them.
Microsoft says in a security post that “We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence. We also want to thank the researcher, Bob Diachenko, for working closely with us so that we were able to quickly fix this misconfiguration, investigate the situation, and begin notifying customers as appropriate.”
It is unknown at this time how much of the data has been accessed, not that there is much that you can do about it anyways, other than to not fall for any scam calls.