Microsoft Discloses Security Breach of Customer Support Database Containing 250 Million Records (zdnet.com) 32
An anonymous reader quotes a report from ZDNet: Microsoft disclosed today a security breach that took place last month in December 2019. In a blog post today, the OS maker said that an internal customer support database that was storing anonymized user analytics was accidentally exposed online without proper protections between December 5 and December 31. The database was spotted and reported to Microsoft by Bob Diachenko, a security researcher with Security Discovery.
The leaky customer support database consisted of a cluster of five Elasticsearch servers, a technology used to simplify search operations, Diachenko told ZDNet today. All five servers stored the same data, appearing to be mirrors of each other. Diachenko said Microsoft secured the exposed database on the same day he reported the issue to the OS maker, despite being New Year's Eve. The servers contained roughly 250 million entries, with information such as email addresses, IP addresses, and support case details. Microsoft said that most of the records didn't contain any personal user information. "Microsoft blamed the accidental server exposure on misconfigured Azure security rules it deployed on December 5, which it now fixed," adds ZDNet.
They went on to list several changes to prevent this sort of thing from happening again, such as "auditing the established network security rules for internal resources" and "adding additional alerting to service teams when security rule misconfigurations are detected."
The leaky customer support database consisted of a cluster of five Elasticsearch servers, a technology used to simplify search operations, Diachenko told ZDNet today. All five servers stored the same data, appearing to be mirrors of each other. Diachenko said Microsoft secured the exposed database on the same day he reported the issue to the OS maker, despite being New Year's Eve. The servers contained roughly 250 million entries, with information such as email addresses, IP addresses, and support case details. Microsoft said that most of the records didn't contain any personal user information. "Microsoft blamed the accidental server exposure on misconfigured Azure security rules it deployed on December 5, which it now fixed," adds ZDNet.
They went on to list several changes to prevent this sort of thing from happening again, such as "auditing the established network security rules for internal resources" and "adding additional alerting to service teams when security rule misconfigurations are detected."
That sucks (Score:2)
I feel sorry for the sap who had to "secure the database" on new years eve.
Re: (Score:2)
He deserves it, there is no reason for the network not to be isolated into segments with proper authentication to access across boundaries
Re:That sucks (Score:5, Insightful)
"support database that was storing anonymized user analytics" (...) "with information such as email addresses, IP addresses, and support case details"
Anonymized, they keep using that word, I do not think it means what they think it means.
It's Easy! (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Why would they?
Nothing to hide, nothing to fear - remember.
No need for any of that security garbage. Its to complicated and doesn't come with a nice gui.
Re: (Score:2)
Indeed. Somebody is playing with tech they do not understand. And they apparently do not know how to properly anonymize data either.
Re: (Score:2)
Wanted to make the same comment.
Cloud is popular (with mgmt) because it's so easy and cheap, but it's neither of those.
Re: (Score:2)
Indeed. Cheap initially and you can get rid of a lot of pesky IT personnel that always wants things and thinks things are more complicated than the management likes them to be. Then, eventually, you find that the cloud is not only more expensive, it comes with some additional pretty bad risks. And you still need all your IT experts, just a few more now because you suddenly need cloud experts.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Probably customers complaints about it being difficult.
Uh-oh. (Score:5, Funny)
They really should've listened when we called about an important security issue we've discovered. But instead they refused to provide our support staff with remote desktop access and hung up.
Re: (Score:2)
You need to work on your technique, it worked for those other guys.
Elasticsearch ? (Score:2)
really microsoft... I know Elasticsearch the best but your busy trying to hawk
Data Lake Storage for big data analytics | Microsoft Azure
Azure Data Lake Storage Gen2 is highly scalable and secure storage for big data analytics
Wait...Elasticsearch? (Score:1)
Ummm, unless I'm mistaken, Elasticsearch is AWS.
What is Microsoft doing storing stuff on an AWS service??
Re: (Score:2)
Wikipedia says: Elasticsearch is a search engine based on the Lucene library. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents.
It would have been funny if they had it all hosted on a Godaddy account with unlimited storage space.
Re: Wait...Elasticsearch? (Score:3)
You are mistaken. Elastic is the company behind elastic search. Not Amazon
An "anonymized" database (Score:4, Interesting)
Re: (Score:2)
It's ok there is nothing personal in there :eye_roll:
Re: (Score:2)
Simple: They only anonymized data in "standard" formats (as defined by MS, apparently). If, for example, your email is not in the format "name.surname@email.com", it stayed in plain. Because apparently they believe that running some simple regular expressions over the data and replace what is found is sufficient. The level of incompetence involved is staggering. Alternatively, they just did not care to do it right.
Odds it was offshore? (Score:1)
Appreciate them owning up to it (Score:2)
Re: (Score:2)
You think they had a choice?
Re: (Score:2)
Re: (Score:2)
That only works in certain circumstances.
Great more calls from (Score:2)
Just my 2 cents
other telemetry (Score:1)
Re: (Score:2)
Nobody (except MS) really knows. Will probably require a large data-breach of that data to find out. Until then, Win10 gets exactly zero sensitive data from me. This this is only (barely) usable for gaming and that is it.
Laughable explanation (Score:1)