Microsoft announced a data breach had affected one of its customer databases. According to a blog post entitled Access Misconfiguration for Customer Support, Microsoft had a breach between 5th December 2019 and 31st December 2019.
Microsoft didn’t give much details of how big the database was. The blog said, “our investigation has determined that a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data. Upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access. This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services.”
The blogpost also highlighted that from their investigation that the vast majority of records were cleared of personal information in accordance with our standard practices. In some scenarios, the data may have remained unredacted if it met specific conditions.
Interestingly, Comparitech security research team uncovered five Elasticsearch servers, each of which contained an apparently identical set of nearly 250 million records, containing logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019. Microsoft was notified immediately upon discovering the exposed data and took swift action to secure it.
Paul Ducklin, Principal Research Scientist at Sophos reached out to us and gave his comments on the breach as well.
He said, “Hundreds of millions of records were exposed, but it sounds as though comparatively few people actually had recognizable email addresses in the leaked database. In other words, most people won’t actually receive warnings from Microsoft - but might well receive “warnings” from crooks claiming to be Microsoft.”
He added if users don’t hear from Microsoft, even if they did contact support during the 2015 to 2019 period, their data could either be not in the exposed database, or there wasn’t actually enough in leaked database to allow anyone, including Microsoft itself, to identify users.
“Remember: don’t click on links in security warnings, even if you think they’re real. That way you will avoid end up on phishing sites by mistake, and you won’t put in your password where you shouldn’t. Find your own way to any login pages you use, and never let yourself be frightened or cajoled into relying on contact data provided in an email,” commented Paul.