The Microsoft team shared that they have done some work to protect user information by redacting personal data to ensure that it cannot be traced to any individuals
BillyReport 25 Jan 2020 0
A mere three days ago, Microsoft was back at it again with customers informing them of yet another security blunder that left close to 250 million Customer Service and Support accounts exposed on the Internet. This they say was as a result of a misconfigured server which carried information shared between users and customer service support agents from Microsoft spanning the last 14 years.
The cybersecurity researcher responsible for identifying the mistake, Bob Diachenko, promptly shared the information with Microsoft concerning their exposed database and thus aided measures to attempt to fix the damage done.
In response to this inadvertent mess up, Microsoft shared that the information in the public domain was largely redacted due to some work done by their team to protect user identities and interests and as such cannot be traced to one such person or user and this prevents it from being exploited by attackers in the wild.
The leak affects close to 250 million users
Image Source: comparitech.com
Our investigation confirmed that the vast majority of records were cleared of personal information in accordance with our standard practices.
This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services.
They however acknowledged that this data dump was a result of an inadequacy and shared that some misconfigured security rules recently updated to a server on the 5th of December last year is what led to the data being exposed – and this has since been rectified by engineers since December 31st.
This was met with high scepticism from a number of cybersecurity researchers and authorities including Diachenko himself, who stated at the time he noticed the leak, a varied many of the records showed personal information of users including that of their email addresses, case numbers – resolutions etc. and many others including that of the IP addresses and locations of affected users which is more than enough fodder for an attacker to exploit them and impersonate Microsoft representatives to delude customers.
It was a sentiment closely followed by Ekaterina Khrustaleva, Chief Operating Officer of ImmuniWeb who shared,
The absence of Personally Identifiable Information in the dump is irrelevant here given that technical support logs frequently expose VIP clients, their internal systems and network configurations, and even passwords.
She reiterated to thehackernews.com,
The data is a gold mine for patient criminals aiming to breach large organizations and governments. Worse, many large companies and not only Microsoft have lost visibility of their external attack surface, exposing their clients and partners to significant risks. We will likely see a multitude of similar incidents in 2020.
At the present, Microsoft are yet to share any means by which they intend to get the data leaked off the internet and they certainly have shared no insight into how they intend to prevent such mistakes from happening again in the future, but say they have made efforts to inform users who have been affected by the data dump about the leak.