Misconfigured Microsoft database exposed 250 million customer service records

Shawn Knight

Posts: 15,240   +192
Staff member
In brief: Security researchers with Comparitech recently discovered a collection of 250 million Microsoft Customer Service and Support (CSS) records sitting – unsecured – in a database accessible to anyone with a web browser.

The records contain conversations, logs and information between Microsoft support agents and customers from around the globe dating all the way back to 2005.

Comparitech said it found five Elasticsearch servers, each with a seemingly identical set of the 250 million records, on December 29, 2019 – just one day after they were indexed by search engine BinaryEdge.

Most personally identifiable information was redacted from the records although many of them contained other information such as customer e-mail addresses, IP addresses, locations, descriptions of CSS claims and cases, support agent e-mails, resolutions and remarks, case numbers and internal notes marked as “confidential.”

Fortunately, Comparitech did the responsible thing and reached out to Microsoft about the matter. Redmond’s support team got right on it and had all of the vulnerable servers secured within 24 hours.

Even with the short window, opportunity existed for nefarious activity although Comparitech said it is unsure if any other unauthorized parties accessed the databases during that time.

In its own blog post, Microsoft held itself accountable, citing a change made to the database’s network security group on December 5, 2019, as the culprit. The company said the issue was “specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services.”

Masthead credit: Microsoft by VDB Photos. Servers by Stock image.

Permalink to story.

 
So no need to fear of w10 taking photos of you, recording sound, logging keystrokes and sending all this to MS. Want could possibly go wrong?
 
A more direct control would be to have any administrator that fails to secure their servers & databases face public execution. After the first or second one I think you'd see priorities get straightened out VERY quickly, plus we weed out the incompetent administrators making more jobs available to the unemployed ..... LOL
 
A more direct control would be to have any administrator that fails to secure their servers & databases face public execution. After the first or second one I think you'd see priorities get straightened out VERY quickly, plus we weed out the incompetent administrators making more jobs available to the unemployed ..... LOL
Or there would be no one to run the system at all :p
 
Even scarier is MS cloud services. The sharing/passing of corporate LAN credentials has me very concerned.
 
Another day, another exposed database!
Well it's not a US State using outdated Windows 7 with many vulnerabilities and have cybersecurity equal to a hot-dog (with ketchup and/or mustard), then pay 1 million for a ransomware, that's for sure.
 
So no need to fear of w10 taking photos of you, recording sound, logging keystrokes and sending all this to MS. Want could possibly go wrong?
Right? I mean, after all, Microsoft is such a trustworthy entity, isn't it.
(please note, severe sarcasm)
 
Right? I mean, after all, Microsoft is such a trustworthy entity, isn't it.
(please note, severe sarcasm)

Don't worry, Google knows a lot more about you than Microsoft. You're carrying your personal spying device constantly with you, right? If not, that means you're hiding something, and that means you're a terrorist.

Oh, wait, it's not 2025. It's still allowed to walk on the street without carrying a personal spying device. For now.
 
Back