Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Microsoft Databases Privacy Security

Microsoft Discloses Security Breach of Customer Support Database Containing 250 Million Records (zdnet.com) 32

An anonymous reader quotes a report from ZDNet: Microsoft disclosed today a security breach that took place last month in December 2019. In a blog post today, the OS maker said that an internal customer support database that was storing anonymized user analytics was accidentally exposed online without proper protections between December 5 and December 31. The database was spotted and reported to Microsoft by Bob Diachenko, a security researcher with Security Discovery.

The leaky customer support database consisted of a cluster of five Elasticsearch servers, a technology used to simplify search operations, Diachenko told ZDNet today. All five servers stored the same data, appearing to be mirrors of each other. Diachenko said Microsoft secured the exposed database on the same day he reported the issue to the OS maker, despite being New Year's Eve. The servers contained roughly 250 million entries, with information such as email addresses, IP addresses, and support case details. Microsoft said that most of the records didn't contain any personal user information.
"Microsoft blamed the accidental server exposure on misconfigured Azure security rules it deployed on December 5, which it now fixed," adds ZDNet.

They went on to list several changes to prevent this sort of thing from happening again, such as "auditing the established network security rules for internal resources" and "adding additional alerting to service teams when security rule misconfigurations are detected."
This discussion has been archived. No new comments can be posted.

Microsoft Discloses Security Breach of Customer Support Database Containing 250 Million Records

Comments Filter:
  • I feel sorry for the sap who had to "secure the database" on new years eve.

    • He deserves it, there is no reason for the network not to be isolated into segments with proper authentication to access across boundaries

      • Re:That sucks (Score:5, Insightful)

        by michelcolman ( 1208008 ) on Thursday January 23, 2020 @04:32AM (#59646716)

        "support database that was storing anonymized user analytics" (...) "with information such as email addresses, IP addresses, and support case details"

        Anonymized, they keep using that word, I do not think it means what they think it means.

  • It's Easy! (Score:5, Insightful)

    by SlashDaniel ( 6248416 ) on Wednesday January 22, 2020 @06:45PM (#59645810)
    If Microsoft doesn't know how to properly secure their own Azure security rules, how do they expect their customers to?
    • exactly, I would mod you up if I had points
    • Why would they?
      Nothing to hide, nothing to fear - remember.
      No need for any of that security garbage. Its to complicated and doesn't come with a nice gui.

    • by gweihir ( 88907 )

      Indeed. Somebody is playing with tech they do not understand. And they apparently do not know how to properly anonymize data either.

    • by sad_ ( 7868 )

      Wanted to make the same comment.
      Cloud is popular (with mgmt) because it's so easy and cheap, but it's neither of those.

      • by gweihir ( 88907 )

        Indeed. Cheap initially and you can get rid of a lot of pesky IT personnel that always wants things and thinks things are more complicated than the management likes them to be. Then, eventually, you find that the cloud is not only more expensive, it comes with some additional pretty bad risks. And you still need all your IT experts, just a few more now because you suddenly need cloud experts.

  • Uh-oh. (Score:5, Funny)

    by mobby_6kl ( 668092 ) on Wednesday January 22, 2020 @07:03PM (#59645884)

    They really should've listened when we called about an important security issue we've discovered. But instead they refused to provide our support staff with remote desktop access and hung up.

  • really microsoft... I know Elasticsearch the best but your busy trying to hawk

    Data Lake Storage for big data analytics | Microsoft Azure
    Azure Data Lake Storage Gen2 is highly scalable and secure storage for big data analytics

  • Ummm, unless I'm mistaken, Elasticsearch is AWS.

    What is Microsoft doing storing stuff on an AWS service??

    • Wikipedia says: Elasticsearch is a search engine based on the Lucene library. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.

      It would have been funny if they had it all hosted on a Godaddy account with unlimited storage space.

    • You are mistaken. Elastic is the company behind elastic search. Not Amazon

  • by Arthur, KBE ( 6444066 ) on Wednesday January 22, 2020 @07:38PM (#59645978)
    That contains customer e-mail and IP addresses? I'm confused. Can someone explain how exactly that works?
    • It's ok there is nothing personal in there :eye_roll:

    • by gweihir ( 88907 )

      Simple: They only anonymized data in "standard" formats (as defined by MS, apparently). If, for example, your email is not in the format "name.surname@email.com", it stayed in plain. Because apparently they believe that running some simple regular expressions over the data and replace what is found is sufficient. The level of incompetence involved is staggering. Alternatively, they just did not care to do it right.

  • I give high odds it was an outsourced or offshore resource. Security is the dirty little secret to pay for these arbitrage shenanigans of the past 15 years.
  • While it's certainly not a good look, I do appreciate the fact that they've owned up to it.
  • very concerned Microsoft Support people who just want to remote fix my computer for free.

    Just my 2 cents ;)
  • Is the other Microsoft telemetry equally not anonymous ?
    • by gweihir ( 88907 )

      Nobody (except MS) really knows. Will probably require a large data-breach of that data to find out. Until then, Win10 gets exactly zero sensitive data from me. This this is only (barely) usable for gaming and that is it.

  • "Microsoft blamed the accidental server exposure on misconfigured Azure security rules it deployed on December 5, which it now fixed," adds ZDNet. The explanation is laughable. Consider re-phrasing for the Titanic disaster: "The White Star Line blames the accidental sinking of the R.M.S. Titanic on a miscommunication in ice warnings and telegraph distress signals utilized when it sailed on April 10th, which has now been fixed." adds the New York Herald Tribune.

"The great question... which I have not been able to answer... is, `What does woman want?'" -- Sigmund Freud

Working...