Microsoft unknowingly exposed 250 million customers' data on web; Who's affected?

After the researchers found the exposed database and informed Microsoft, the tech company took swift action and said it is in the process of notifying affected customers

There are billions of people across the world who sincerely use Microsoft services on a daily basis and last year, the tech giant also revealed that Teams, Microsoft's Slack competitor, is the company's fastest-growing application which has 13 million active daily users and 19 million weekly active users.

It was in 2013 when hackers gained access into Microsoft's secret database for tracking bugs in its software. Later in 2019, between January and March cybercriminals hacked the account of a Microsoft support agent. But later the company said that it was possible that the threat actor accessed the contents of some Outlook users' accounts.

While the history says hackers always kept an eye on this highly popular tech company, recently a security research team found that the US tech giant accidentally exposed almost 250 million Customer Service and Support (CSS) records during the New Year.

microsoft store
Microsoft Eduardo Munoz/Reuters

Microsoft exposed records

The Comparitech security research team led by Bob Diachenko found five Elasticsearch servers and each one of them contained an allegedly identical set of the 250 million records. After the discovery, the Diachenko alerted the US tech company Microsoft.

It should be mentioned that these exposed records contained logs of conversations between Microsoft support agents and their customers from all over the world. The info dates back as far as 2005 and is as recent as December 2019. As per the researcher, the databases containing 14 years of customer support logs records, was left accessible to anyone with a web browser. The database was so vulnerable that without any password or other authentication, anyone could gain access to it.

After receiving the alert from the Comparitech security research team, the tech giant took swift action to secure it and said it is in the process of notifying affected customers. The research team stated that the five servers had been indexed by search engine BinaryEdge.

They also revealed that the exposed database contained a wealth of phishing and scam-ready information in plain text. They also found exposed customer email addresses, IP addresses and physical locations, as well as descriptions of customer service claims and cases, their numbers, resolutions and remarks. It should be noted that there were some internal notes found in the database marked as "confidential."

microsoft's windows bounty program
Microsoft database exposed Reuters

Microsoft vulnerability

As the whole world is currently facing critical cybersecurity issues, this incident could be a buffet to the cybercriminals. As per Comparitech researcher Paul Bischoff, it is everything a hacker would need to mount a convincing and large-scale fraud effort.

In a post by Comparitech, Diachenko said that he immediately reported it to Microsoft and within 24 hours, all servers were secured. In addition, he also mentioned, "I applaud the MS support team for responsiveness and quick turnaround on this despite New Year's Eve," but as per the researcher, the team hasn't found any evidence which will prove whether any other unauthorized parties accessed the database during that time or not.

However, Microsoft General Manager, Eric Doerr while appreciating the efforts by the researcher, said, "We're thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyze data, and notify customers as appropriate."

When the database was exposed?

As per the researchers, the data was exposed for about two days before they informed the tech company and the records were secured. As mentioned by Comparitech, on December 28, 2019, the database was indexed by search engine BinaryEdge and on the next day the security researcher found the exposed database and notified the company.

On December 30 Microsoft secured servers and data and along with the researcher, they continued the investigation and remediation process. However, this year on January 21 Microsoft disclosed additional information about the exposure as a result of the investigation.

Related topics : Cybersecurity