Internal error left Microsoft customer service data exposed

The customer service records of millions of Microsoft users were left exposed and accessible on the public internet for more than three weeks after a change made to a database network security group in early December 2019 contained misconfigured security rules.

The records exposed included logs of conversations between genuine Microsoft customer service agents and end-users from all over the world, spanning 14 years from 2005 to 2019. The data also included customer email addresses, IP addresses, locations, descriptions of cases, support agent emails, case numbers and resolutions, and some internal documents stored in plain text, although most personally identifiable information (PII) was redacted.

The leak was spotted by Comparitech’s security team alongside security researcher Bob Diachenko, who found five Elasticsearch servers containing an apparently identical set of the records, with no password or other authentication needed to access it. Microsoft was informed of the situation on 29 December, and the servers and data were secured on 31 December.

“I immediately reported this to Microsoft and within 24 hours, all servers were secured,” said Diachenko. “I applaud the MS support team for responsiveness and quick turnaround on this, despite New Year’s Eve.”

Microsoft Security Response Centre GM Eric Doerr added: “We are thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyse data, and notify customers as appropriate.”

It remains unknown whether or not the customer data was accessed by anyone else during the time it was exposed. However, even though most PII was not viewable, the data could hold value for tech support scammers, and customers may now be at heightened risk of such scams.

Tech support scammers often prey on Microsoft customers in their phishing attempts. Generally, they adopt something of a “spray and pray” approach to targeting their victims, trawling lists of phone numbers or emails scraped from other data breaches and impersonating Microsoft tech support agents.

Microsoft never proactively contacts customers to solve any tech problems, and legitimate Microsoft tech support agents are not empowered to ask for passwords or request that someone installs remote desktop applications – a common scamming tactic.

Because of these policies, tech support scams can be detected easily by any reasonably well-informed end-user, but thanks to the global prevalence of the Windows operating system, there will always be some targets who fall victim.

What makes this potential breach more serious is that with logs and case information relating to genuine Microsoft support calls, scammers stand a slightly better chance of success and will be better able to go phishing for more sensitive information.

Microsoft said it was committed to the privacy and security of its consumer customers and was taking action to stop such a leak happening again. Among other things, it is conducting an internal audit of its network security rules covering internal resources, expanding the scope of the mechanisms that it uses to detect security misconfigurations, adding new alerting to them, and taking steps to implement better automation of PII redaction.

“Misconfigurations are unfortunately a common error across the industry,” wrote Doerr and Microsoft security VP Ann Johnson in a disclosure blog. “We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available.

“We want to sincerely apologise and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future recurrence.”