Most people might be excited to celebrate the start of a new year, full of new chances and opportunities. However, that’s not the case for many of Microsoft’s security teams, who had to work overtime during the New Year to hopefully close a huge security breach that was noticed after a serious leak. Just this Thursday (Jan 22, 2020), Microsoft revealed that it had accidentally leaked 250 million customer service records back in December (Dec 29, 2019), leaving a ton of its customers’ data accessible to anyone with a web browser.
The company acknowledged the security breach almost one month later, stating that it didn’t found any evidence of malicious use of its accidentally leaked customer data.
Comparitech’s Security Research Team, which was led by Bob Diachenko, stated that they successfully discovered the vulnerability on December 29th.
Still, Microsoft was sort-of-quick to take care of the situation, fixing the issue two days later. The company explained that the exposure was caused by a “misconfiguration” of one of its internal customer support databases, but no evidence of “malicious use” was found.
The server included conversation logs that dated as far back as 2005 between members of Microsoft’s dedicated support team and customers from across the world. Comparitech also shared a jaw-dropping shameful fact, stating that Microsoft’s database wasn’t password-protected. Still, Microsoft assured that the “vast majority” of personal data that was exposed was censored.
On the other hand, Comparitech revealed that some specific information like email and IP addresses was stored in plain text format, making it fully-visible and easily prone to doxing.
If anyone at all had been able to access the logs, they could have used the personal data of any of Microsoft’s support staff to easily impersonate them and run a phishing scheme.
Microsoft shared a public apology at the end of its blog post, saying “We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence.”
The company already started notifying all customers whose data was stored on the database.
After Microsoft accidentally leaked 250 million customer service records, it assured that it’s looking to run a thorough inspection of its internal security rules and also implement additional tools to automatically censor any included sensitive user information. The company also assured that it put in place new and expanded alerts to notify its service teams whenever a security misconfiguration is detected.
Nonetheless, this accounts to be Microsoft’s second major data security breach related to its customer support system in a single year. Back in April 2019, Microsoft revealed that hackers had used a customer support representative’s credentials to breach the email accounts of some of its customers.
What’s important to take from this is that in both cases the internal support systems had almost unmatched levels of access to user information. This made the systems extremely tempting targets to more skilled hackers in both situations (April and December).
Right after the first security breach, Cyxtera’s chief security technology officer Dave Aitel had already warned about the dangers involved with Microsoft’s email breach, stating that support was just “a big security hole waiting to happen.”
As it turns out, Aitel was 100% right as another security breach happened right over the New Year.
All we can do now is hope that Microsoft learns from this second situation and takes the necessary precautions to actually keep its customer’s and support staff’s personal data protected.