Microsoft Inadvertently Exposes Quarter of a Billion Customer Service Records
“Support is a big security hole waiting to happen.” Dave Aitel
Microsoft has disclosed details of a mammoth database error that saw customer service and support records of up to 250,000 million freely accessible to anyone with a web browser and internet connection.
The loophole was first identified by famed security researcher, Bob Diachenko and Comparitech on December 29th, as most people were winding down in preparation for New Years festivities. It has been reported that Microsoft fixed the loophole in around two days, stating that the exposure of records was the result of a “misconfiguration” of its customer support databases, adding that there’s no evidence of “malicious use” of the data that was exposed.
“Internal support systems have almost unprecedented levels of access to user information, making them enticing targets to hackers.” - Igor Bonifacic
Engadget is reporting that “the server included conversation logs dating as far back as 2005 between Microsoft support personnel and customers from around the world. According to Comparitech, the database wasn’t password-protected.”
Microsoft keen to point out that the “vast majority” of the personal data that was temporarily exposed was redacted, however, Camparitech has stated that some personal information, such as email and IP addresses were freely accessible in plain-text format.
“Had someone been able to access the logs, they could have used them to more easily impersonate the company’s staff in a phishing scheme,” notes Igor Bonifacic.
Microsoft has since released a statement on the security flaw, stating that “we want to sincerely apologise and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence,” adding that the company was notifying users whose data was stored on the database to mitigate the chances of future phishing attempts leveraging their data.
According to Comparitech, the database wasn’t password-protected.”
Bonifacic has noted that for Microsoft, “this is the second major data security incident tied to its customer support system in a single year. In April 2019, the company disclosed that hackers had used a customer support representative’s credentials to breach the email accounts of some of its users. Ultimately, the issue in both cases is that internal support systems have almost unprecedented levels of access to user information, making them enticing targets to hackers.”
This sentiment was echoed by Dave Aitel, chief security technology officer at Cyxtera told Wired that “support is a big security hole waiting to happen.”