Five identical Elasticsearch databases containing 250 million records of Microsoft customer support incidents were exposed on the internet for all to see for at least two days right at the end of 2019.
On 28 December 2019, these databases were found by BinaryEdge, which crawls the internet looking for exposed data. This was then picked up by security researcher Bob Diachenko, who reported the problem to Microsoft.
Microsoft secured the databases over 30-31 December, winning praise from Diachenko for "quick turnaround on this despite [it being] New Year's Eve".
That is cold comfort for customers whose data was exposed. What has been picked up by security researchers may well also have been found by criminals.
What data was published? These are logs of customer service and support interactions between 2005 and now. The good-ish news is that "most of the personally identifiable information — email aliases, contract numbers, and payment information—was redacted", according to Comparitech. However, a subset contained plain-text data including email addresses, IP addresses, case descriptions, emails from Microsoft support, case numbers and "internal notes marked as confidential".
Armed with this information, there is plenty of scope for identifying the customers, learning more about their internal IT systems if they are businesses, and using the data for activities such as impersonating Microsoft support and thereby gaining access to personal computers or business networks. "Just a quick follow-up on case xxxx…"
Eric Doerr, general manager of the Microsoft's Security Response Center (MSRC), said: "We're thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyze data, and notify customers as appropriate."
It is not yet clear how many of the records include identifiable information, nor how they break down in terms of business versus consumer interactions. We have asked Microsoft for comment and will update with information received. Microsoft has posted further information about the incident here.
Despite the absence of financial or username/password data in the leaked database, the incident is embarrassing for Microsoft, undermining its efforts to keep its customers secure.
Calls from fake Microsoft support staff are nothing new; they are so widespread that most of us have received a few. What's different now is that they may be better informed than before, so the solution is to be even more wary. ®