Microsoft Discloses Security Breach of Customer Support Database Containing 250 Million Records

An anonymous reader quotes a report from ZDNet: Microsoft disclosed today a security breach that took place last month in December 2019. In a blog post today, the OS maker said that an internal customer support database that was storing anonymized user analytics was accidentally exposed online without proper protections between December 5 and December 31. The database was spotted and reported to Microsoft by Bob Diachenko, a security researcher with Security Discovery.

The leaky customer support database consisted of a cluster of five Elasticsearch servers, a technology used to simplify search operations, Diachenko told ZDNet today. All five servers stored the same data, appearing to be mirrors of each other. Diachenko said Microsoft secured the exposed database on the same day he reported the issue to the OS maker, despite being New Year's Eve. The servers contained roughly 250 million entries, with information such as email addresses, IP addresses, and support case details. Microsoft said that most of the records didn't contain any personal user information. "Microsoft blamed the accidental server exposure on misconfigured Azure security rules it deployed on December 5, which it now fixed," adds ZDNet.

They went on to list several changes to prevent this sort of thing from happening again, such as "auditing the established network security rules for internal resources" and "adding additional alerting to service teams when security rule misconfigurations are detected."

That sucks

[wakeboarder]

I feel sorry for the sap who had to "secure the database" on new years eve.

Re:

[garyisabusyguy]

He deserves it, there is no reason for the network not to be isolated into segments with proper authentication to access across boundaries

Re:That sucks

[michelcolman]

"support database that was storing anonymized user analytics" (...) "with information such as email addresses, IP addresses, and support case details"

Anonymized, they keep using that word, I do not think it means what they think it means.

It's Easy!

[SlashDaniel]

If Microsoft doesn't know how to properly secure their own Azure security rules, how do they expect their customers to?

Re:

[sit1963nz]

exactly, I would mod you up if I had points

Re:

[sit1963nz]

Because the main providers like to spy to feed the advertisers with data ?

Re:

[mSparks43]

Why would they?
Nothing to hide, nothing to fear - remember.
No need for any of that security garbage. Its to complicated and doesn't come with a nice gui.

Re:

[gweihir]

Indeed. Somebody is playing with tech they do not understand. And they apparently do not know how to properly anonymize data either.

Re:

[sad_]

Wanted to make the same comment.
Cloud is popular (with mgmt) because it's so easy and cheap, but it's neither of those.

Re:

[gweihir]

Indeed. Cheap initially and you can get rid of a lot of pesky IT personnel that always wants things and thinks things are more complicated than the management likes them to be. Then, eventually, you find that the cloud is not only more expensive, it comes with some additional pretty bad risks. And you still need all your IT experts, just a few more now because you suddenly need cloud experts.

Re:

[Anachronous Coward]

Why are you surprised? Clouds are soft and yielding and fluffy. Why, you can fly a plane right through one. Hardly secure at all. It's the perfect metaphor.

Re:

[Dunbal]

Fly a light aircraft through a cumulonimbus during a thunder storm and see how that "soft and fluffy" works out for you...

Re:

[ArchieBunker]

Probably customers complaints about it being difficult.

Uh-oh.

[mobby_6kl]

They really should've listened when we called about an important security issue we've discovered. But instead they refused to provide our support staff with remote desktop access and hung up.

Re:

[michelcolman]

You need to work on your technique, it worked for those other guys.

Elasticsearch ?

[johnjones]

really microsoft... I know Elasticsearch the best but your busy trying to hawk

Data Lake Storage for big data analytics | Microsoft Azure
Azure Data Lake Storage Gen2 is highly scalable and secure storage for big data analytics

Wait...Elasticsearch?

[JustAnotherOldGuy]

Ummm, unless I'm mistaken, Elasticsearch is AWS.

What is Microsoft doing storing stuff on an AWS service??

Re:

[transporter_ii]

Wikipedia says: Elasticsearch is a search engine based on the Lucene library. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.

It would have been funny if they had it all hosted on a Godaddy account with unlimited storage space.

Re: Wait...Elasticsearch?

[viperidaenz]

You are mistaken. Elastic is the company behind elastic search. Not Amazon

An "anonymized" database

[Arthur, KBE]

That contains customer e-mail and IP addresses? I'm confused. Can someone explain how exactly that works?

Re:

[BosstonesOwn]

It's ok there is nothing personal in there :eye_roll:

Re:

[gweihir]

Simple: They only anonymized data in "standard" formats (as defined by MS, apparently). If, for example, your email is not in the format "name.surname@email.com", it stayed in plain. Because apparently they believe that running some simple regular expressions over the data and replace what is found is sufficient. The level of incompetence involved is staggering. Alternatively, they just did not care to do it right.

Odds it was offshore?

[Waitfor1tt]

I give high odds it was an outsourced or offshore resource. Security is the dirty little secret to pay for these arbitrage shenanigans of the past 15 years.

Appreciate them owning up to it

[Kryptonut]

While it's certainly not a good look, I do appreciate the fact that they've owned up to it.

Re:

[gweihir]

You think they had a choice?

Re:

[Kryptonut]

you'd be surprised how many companies have a policy of "admit nothing"

Re:

[gweihir]

That only works in certain circumstances.

Great more calls from

[oldgraybeard]

very concerned Microsoft Support people who just want to remote fix my computer for free.

Just my 2 cents ;)

other telemetry

[John-after-logtime]

Is the other Microsoft telemetry equally not anonymous ?

Re:

[gweihir]

Nobody (except MS) really knows. Will probably require a large data-breach of that data to find out. Until then, Win10 gets exactly zero sensitive data from me. This this is only (barely) usable for gaming and that is it.

Laughable explanation

[ellithligraw]

"Microsoft blamed the accidental server exposure on misconfigured Azure security rules it deployed on December 5, which it now fixed," adds ZDNet. The explanation is laughable. Consider re-phrasing for the Titanic disaster: "The White Star Line blames the accidental sinking of the R.M.S. Titanic on a miscommunication in ice warnings and telegraph distress signals utilized when it sailed on April 10th, which has now been fixed." adds the New York Herald Tribune.