Microsoft has been in the news for, mostly, the wrong reasons recently. There is the Internet Explorer zero-day vulnerability that Microsoft hasn't issued a patch for, despite it being actively exploited. That came just days after the U.S. Government issued a critical Windows 10 update now alert concerning the "extraordinarily serious" curveball crypto vulnerability. Now a newly published report, has revealed that 250 million Microsoft customer records, spanning an incredible 14 years in all, have been exposed online in a database with no password protection.

Microsoft Exposed 250 Million Customer Support Records

Paul Bischoff, a privacy advocate and editor at Comparitech, has revealed how an investigation by the Comparitech security research team uncovered no less than five servers containing the same set of 250 million records. Those records were customer service and support logs detailing conversations between Microsoft support agents and customers from across the world. Incredibly, the unsecured Elasticsearch servers contained records spanning a period from 2005 right through to December 2019. When I say unsecured, I mean that the data was accessible to anyone with a web browser who stumbled across the databases: no authentication at all was required to access them, according to the Comparitech report.

The nature of the data appears to be that much of the personally identifiable information was redacted. However, the researchers say that many contained plain text data including customer email addresses, IP addresses, geographical locations, descriptions of the customer service and support claims and cases, Microsoft support agent emails, case numbers and resolutions, and internal notes that had been marked as confidential. This may seem like no big deal in the overall scheme of things, but when you consider that Microsoft support scams are pretty rampant, it doesn't take a genius to work out how valuable such information would be to the fraudsters carrying out such attacks.

In a Microsoft Security Response Center posting dated January 22, Microsoft said that "the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable."

Such misconfigurations are not a rare occurrence, and we recently reported on a data leak that exposed birth certificate applications. Indeed, Microsoft echoed this very sentiment in a blog addressing its customers:

Over the New Year, Microsoft exposed nearly 250 million Customer Service and Support (CSS) records on the web. The records contained logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019. All of the data was left accessible to anyone with a web browser, with no password or other authentication needed.

The Comparitech security research team led by Bob Diachenko uncovered five Elasticsearch servers, each of which contained an apparently identical set of the 250 million records. Diachenko immediately notified Microsoft upon discovering the exposed data, and Microsoft took swift action to secure it.

Even though most personally identifiable information was redacted from the records, the dangers of this exposure should not be underestimated. The data could be valuable to tech support scammers, in particular.

Information held within the breached records included customer email addresses, IP addresses, locations, case and claim descriptions, confidential internal notes, customer case numbers, resolutions and remarks.

This exposure came about as a result of misconfigured security rules on the server holding the Microsoft customer services and support data therefore other organizations should practice some mechanism that detects misconfigurations in order to avoid such incidences.

In a blog post today, the OS maker said that an internal customer support database that was storing anonymized user analytics was accidentally exposed online without proper protections between Dec.r 5 and Dec. 31.

The leaky customer support database consisted of a cluster of five Elasticsearch servers, a technology used to simplify search operations, Diachenko told ZDNet today. All five servers stored the same data, appearing to be mirrors of each other.

The servers contained roughly 250 million entries, with information such as email addresses, IP addresses, and support case details. Microsoft said that most of the records didn't contain any personal user information.

However, in cases where users filed customer support requests using non-standard formatted data such as ("name surname @ email domain com" instead of "name.surname@email.com") the data was not detected and redacted, and remained in the exposed database.

The Verizon 2019 Data Breach Incident Report (DBIR) in May found that misconfiguration of cloud-based file storage accounted for a fifth (21 percent) of data exposures in the previous 12 months that were caused by errors. In all, cloud storage mishaps exposed a whopping 60 million records in the DBIR dataset.

Microsoft recently announced a data breach affecting one of its customer databases and exposing millions of records, including the personally identifying information (PII) of some customers who may have used Microsoft support since 2005.

The exposed records include customer support records and logs that contained conversations between Microsoft support employees and customers all over the world, including records generated between 2005 and December 2019. According to Microsoft, PII in the database was automatically redacted from the majority of records.

Microsoft officials stated they have started to notify affected customers who may have had their personal information, such as email addresses, exposed. They did not indicate how many customers were affected or what percentage of the records contained unredacted information.

Diachenko and Comparitech found plain text data in many of the records containing information such as customer email addresses and locations, IP addresses, internal confidential notes and Microsoft support agent emails

A recent report from Risk Based Security found that in the first nine months of 2019, 7.9 billion personal records were exposed in data breaches. The most common type of incident was an accidental internal one, exposing customer records without the presence of a hack.

As a result of the incomplete redaction, Microsoft had to notify all customers that had personally identifiable information remaining in the database. This issue is all-too-common: data entry errors occur frequently, resulting in variations of the standard format within databases. As a result, simple redaction techniques can miss sensitive information that is formatted in unusual or different ways. Had Microsoft implemented more sophisticated redaction techniques and fully removed sensitive information before the database was exposed, they may not have needed to notify customers (or the public) at all.

Microsoft disclosed a security breach caused by a misconfigured internal customer support database that led to the accidental exposure of roughly 250 million customer support and service records, some of them containing personally identifiable information.

Microsoft didn't get into details such as the number of records exposed, the type of database that was left unprotected, or the type of personal information that was left in the open, only that data in the support case analytics database was "redacted using automated tools to remove personal information."

While most of the records stored within the heavily-redacted internal customer support database used for support case analytics did not contain personal information, some non-standard PII wasn't anonymized.

However, Security Discovery's Cyber Threat Intelligence Director Bob Diachenko, the researcher who reported the exposed data to Microsoft was able to tell BleepingComputer that the 250 million customer support and service records were stored on five identical ElasticSearch clusters.

The records contained "contained chats, cases descriptions - everything you can imagine being part of MS CSS daily routine," he added. Diachenko also confirmed that "most of the data had PII redacted automatically" in the exposed database.

As he also revealed in a report published in collaboration with Comparitech, the records that weren't properly anonymized exposed customer email addresses, IP addresses, locations, CSS claims and case descriptions, Microsoft support agent emails, and internal notes marked as "confidential."

Microsoft accidentally internet-exposed for three weeks 250 million customer support records stored in five misconfigured Elasticsearch databases. While the company rapidly locked them down after being alerted, it's an embarrassing gaff for the technology giant, which has pledged to do better.

In Microsoft's case, the company publicly disclosed the problem on Wednesday, saying the exposed data included email addresses, IP addresses, locations and customer support interactions - including case number and resolutions - as well as confidential internal notes.

On December 5th, 2019, more than 250 million customer support services records dating back to 2005 were exposed due to misconfigured access controls for five Elasticsearch databases. Bob Diachenko discovered these exposed systems on December 29th, 2019 and immediately notified Microsoft, who promptly secured the servers and began an investigation.

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, dive into a research study that explores the risks associated with common cybersecurity vulnerabilities in a factory setting. Also, read about how misconfigured Microsoft cloud databases containing 14 years of customer support logs exposed 250 million records.

Misconfigured Microsoft cloud databases containing 14 years of customer support logs exposed 250 million records to the open internet for 25 days. The account information dates back as far as 2005 and as recent as December 2019 and exposes Microsoft customers to phishing and tech scams. Microsoft said it is in the process of notifying affected customers. 2ff7e9595c