For a month, Microsoft exposed databases containing the records of 250 million users of the customer support. The vulnerability has since been corrected, but it raises questions about the potential use that malicious people could make of it.
Microsoft is having a complicated start for the year 2020 regarding cybersecurity and user's privacy. While it has just announced the discovery of a flaw in its Windows 10 operating system, the company said on Wednesday, January 22nd, 2020 that it had exposed databases containing the files of 250 million users of its customer support. The flaw, identified on December 29, was corrected in two days and would result from a bad configuration.
FREE ACCESS TO PERSONAL USERS DATA
The files in question have been made accessible to everyone from a simple web browser without the need for a password or any authentication measures said Microsoft in a blog note.
The multinational waited almost a month, the time for an internal investigation, to explain itself. Concretely, conversations between company employees and customers around the world, which took place between 2005 and 2019, were exposed without the need for a password or any authentication measures. The investigation did not determine whether third parties took advantage of the breach, which contained sensitive information, including email and IP addresses, customer locations or statements, and confidential notes.
Cybersecurity researcher Bob Diachenko, who discovered the flaw and immediately informed Microsoft, estimated that the flaws remained unrestricted for nearly a month between December 5 and December 31, 2019. This expert, who works for the independent company Comparitech, underlined that this type of event is quite common, finding its source in servers widely used to run cloud applications named ElasticSearch. Obviously poorly protected, five of those from Microsoft have had their content spread over the Web from a single address. If the Redmond company claims to have deployed an update and want to maintain the level of security in the future, this revelation immediately raises questions about the opportunity for hackers to take advantage of the problems encountered by users of its products.
[NEW REPORT] Misconfigurations happen - no matter how big or secured a company is. Here is my new report. 250M+ million Microsoft's Customer Service and Support (CSS) records were exposed on the web. https://t.co/C1Ll0nT8vz— Bob Diachenko (@MayhemDayOne) January 22, 2020
This type of breaches allows hackers to exploit vulnerabilities reported by customers to Microsoft employees and to appear even more credible because they have access to the contents of the files.
BEWARE OF PHONE SCAMS ATTACK
Windows is the most widely used operating system in the world, so it's easy to pretend to be a Microsoft support representative. Microsoft never proactively intervenes with users to resolve technical issues users must first ask Microsoft for help, warn the researchers. Microsoft employees will not ask you for your password or ask you to install remote desktop applications like TeamViewer. These are common tactics among tech scammers.
Microsoft added more details about this breach. "Our investigation determined that a modification made to the network security group of the database on December 5, 2019, contained misconfigured security rules which allowed the exposure of the data. This problem was specific to an internal database used for the analysis of support cases and does not represent exposure to our online commercial services. The data in the files have been deleted, confirms the publisher, who undertakes to take several measures so that this kind of problem does not occur again.