Researchers find open Microsoft database with 250 million support records

Configuration mistakes by staff can be a huge embarrassment to organizations, defeating even the biggest IT security budget. Often these mistakes result in databases of sensitive information being left open on the internet for a lucky hacker to trip over.

The latest publicly-identified victim is Microsoft. Researchers at Comparitech, a U.K.-based site that reviews consumer IT security products said this morning they recently found five Elasticsearch servers belonging to the software giant with identical copies of nearly 250 million customer service and support exposed without password or other authentication needed for access.

The records contained logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to last December. All of the data was left accessible to anyone with a web browser, with no password or other authentication needed.

Microsoft quickly secured the data after being notified.

Independent researcher Bob Diachenko, who lead the team, was quoted as saying most of the personally identifiable information such as email aliases, contract numbers, and payment information was redacted in the data.

However, many records contained plain text data, including customer email addresses, IP addresses, locations, descriptions of claims and cases, Microsoft support agent emails, case numbers, resolutions, and remarks, and internal notes marked as “confidential”.

One can speculate that a Microsoft employee wanting to look for trends in the customer support data figured with the personally identifiable information redacted the database didn’t need to be password protected.

However, Comparitech argues that readable data could still be valuable to hackers, particularly to give credibility to those involved in Microsoft tech support scams. For example, knowing a customer’s email address would allow a scammer to craft an email starting “Following up on your recent support incident.”

Diachenko is one of several researchers who use the Shodan search engine to find and expose companies with unprotected databases, often sitting on Amazon AWS infrastructure. In 2018 he found a MongoDB server of data management company Veeam Software. Just over a year ago he and a team found an open database belonging to a Texas data processing company.

Other researchers are also finding easy pickings. In 2018 one found Canadian and British government staffers misconfigured some of their web-based Trello project management software and exposed details of software bugs and security plans, as well as passwords for servers and other sensitive information.

Many of these discoveries — as in the Microsoft case — are repositories of data held by Elasticsearch searches. Last summer, for example, Canadian security consultant Darryl Burke found two open Elasticsearch databases, one of which held sensitive personal information of Middle East residents looking to immigrate to Canada.

Elasticsearch is an open-source analytics search engine organizations use to hunt through their data. What many companies don’t realize, Burke said in an interview at the time, is that it keeps a cache of data it indexes. If the Elasticsearch server is open to the Internet but not secured with a username and password — and, ideally, two-factor authentication — then that data is open to discovery by an attacker.

To combat misconfigurations cloud storage providers like Amazon AWS and Microsoft Azure are either making storage closed to the Internet by default or beefing up their security detection tools.

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now