Microsoft Exposes 250M Customer Support Records On Leaky Servers
Harriet Wehrenberg
Microsoft has been in the news for, mostly, the wrong reasons recently. There is the Internet Explorer zero-day vulnerability that Microsoft hasn't issued a patch for, despite it being actively exploited. That came just days after the U.S. Government issued a critical Windows 10 update now alert concerning the "extraordinarily serious" curveball crypto vulnerability. Now a newly published report, has revealed that 250 million Microsoft customer records, spanning an incredible 14 years in all, have been exposed online in a database with no password protection.
Paul Bischoff, a privacy advocate and editor at Comparitech, has revealed how an investigation by the Comparitech security research team uncovered no less than five servers containing the same set of 250 million records. Those records were customer service and support logs detailing conversations between Microsoft support agents and customers from across the world. Incredibly, the unsecured Elasticsearch servers contained records spanning a period from 2005 right through to December 2019. When I say unsecured, I mean that the data was accessible to anyone with a web browser who stumbled across the databases: no authentication at all was required to access them, according to the Comparitech report.
The nature of the data appears to be that much of the personally identifiable information was redacted. However, the researchers say that many contained plain text data including customer email addresses, IP addresses, geographical locations, descriptions of the customer service and support claims and cases, Microsoft support agent emails, case numbers and resolutions, and internal notes that had been marked as confidential. This may seem like no big deal in the overall scheme of things, but when you consider that Microsoft support scams are pretty rampant, it doesn't take a genius to work out how valuable such information would be to the fraudsters carrying out such attacks.
On December 28, 2019, the databases in question were discovered and indexed by threat intelligence search engine BinaryEdge. The following day, Bob Diachenko, who headed up the Comparitech security research team, spotted them and notified Microsoft. "I immediately reported this to Microsoft, and within 24 hours, all servers were secured," Diachenko said. Considering the time of year, this was a remarkably quick response. That said, it was also a remarkably serious leak.
In a Microsoft Security Response Center posting dated January 22, Microsoft said that "the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable."
That posting also confirmed that the exposure of the database started on December 5, 2019, as the result of misconfigured security rules, and was remediated on December 31. The statement included an apology from Microsoft: "We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence."
I asked Ian Thornton-Trump, CISO at Cyjax and co-host of the BeerConOne virtual security conference, for his thoughts about this incident. "This is massive, and not unexpected to be honest," he said, "it just shows how difficult it is for anyone, even a giant tech company, to manage data and storage correctly."
Over the New Year, Microsoft exposed nearly 250 million Customer Service and Support (CSS) records on the web. The records contained logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019. All of the data was left accessible to anyone with a web browser, with no password or other authentication needed.
The Comparitech security research team led by Bob Diachenko uncovered five Elasticsearch servers, each of which contained an apparently identical set of the 250 million records. Diachenko immediately notified Microsoft upon discovering the exposed data, and Microsoft took swift action to secure it.
Even though most personally identifiable information was redacted from the records, the dangers of this exposure should not be underestimated. The data could be valuable to tech support scammers, in particular.
With detailed logs and case information in hand, scammers stand a better chance of succeeding against their targets. If scammers obtained the data before it was secured, they could exploit it by impersonating a real Microsoft employee and referring to a real case number. From there, they could phish for sensitive information or hijack user devices.
We investigate the contents of the database to determine what information was exposed and to whom it belongs. Our goal is to mitigate harm to end users by limiting access to the data and raising awareness among those who might be impacted.
Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, dive into a research study that explores the risks associated with common cybersecurity vulnerabilities in a factory setting. Also, read about how misconfigured Microsoft cloud databases containing 14 years of customer support logs exposed 250 million records.
Last week, Microsoft announced vulnerability CVE-2020-0601 and has already released a patch to protect against any exploits stemming from the vulnerability. Understanding how difficult it can be to patch systems in a timely manner, Trend Micro created a valuable tool that will test endpoints to determine if they have been patched against this latest threat or if they are still vulnerable.
Malicious hackers are targeting factories and industrial environments with a wide variety of malware and cyberattacks including ransomware and cryptocurrency miners. All of these incidents were spotted by researchers at Trend Micro who built a honeypot that mimicked the environment of a real factory. The fake factory featured some common cybersecurity vulnerabilities to make it appealing for hackers to discover and target.
Misconfigured Microsoft cloud databases containing 14 years of customer support logs exposed 250 million records to the open internet for 25 days. The account information dates back as far as 2005 and as recent as December 2019 and exposes Microsoft customers to phishing and tech scams. Microsoft said it is in the process of notifying affected customers.
Researchers from Google's Information Security Engineering team have detailed several security issues in the design of Apple's Safari anti-tracking system, Intelligent Tracking Prevention (ITP). ITP is designed to restrict cookies and is Apple's answer to online marketers that track users across websites. However, Google researchers argue in a new paper that ITP leaks Safari users' web browsing habits.
A hacker has published the credentials of over 515,000 servers, routers, and IoT devices on a well-known hacking website. ZDNet reported that the list consists of IP addresses and the usernames and passwords used by each for unlocking Telnet services, the port that allows these devices to be controlled through the internet.
A recent business email compromise (BEC) campaign, purportedly coming from a small number of scammers in Germany, targets organizations by sending them emails with IMG file attachments hiding a NetWire remote access trojan (RAT). The campaign was discovered by IBM X-Force security researchers and involves sending an employee of the targeted organization an email masquerading as a corporate request.
At least 75% of customers shop online monthly, with businesses striving to tap into the $6.3 trillion ecommerce industry. WooCommerce is a popular tool for building ecommerce sites, but nowadays site speed determines success. A slow site can severely impact customer retention and conversion rates. Surveys show that 82% of consumers are negatively affected by slow page speeds.
Poor hosting slows down your ecommerce store due to limited server storage capacity and sub-optimal resources. Vendors that operate a shared architecture hosting several websites on a single set of servers can also degrade service quality. The result is lagged content delivery.
Using a fancy theme to create an impact on consumers is tempting, but they can slow WooCommerce speed due to heavy elements like sliders, images, and videos. Even simple themes can cause problems if they have sub-optimal code or slow-loading scripts.
A WooCommerce site stores all the data in WordPress default and custom tables that grow as your site expands. With more extensive databases, it takes time for queries to fetch relevant results and execute checkout processes. Also, WordPress databases store all the drafts and revisions you make to your web pages. As the records accumulate, they increase database size and hurt WooCommerce performance.
It also caches transients: data elements stored temporarily. The purpose is to speed up plugin and theme performance by fetching data quickly from the cache instead of the server. Although the data expires within a specified time limit, some transients remain within the database. As they grow, they consume space and degrade performance.
For WooCommerce, in particular, you should be careful with the caching configuration as you must ensure it excludes the Cart, My Account, and Checkout pages from caching. These pages must load dynamically whenever a customer updates their details. And caching only stores static components.
WooCommerce sites often have many high-resolution images to display a product from several angles. Some product descriptions also include promotional videos to help customers understand how the product works.
Out-of-date PHP versions, obsolete themes and plugins, and poor security features can all cause a slow WooCommerce site. Older PHP versions may have performance issues and vulnerabilities that can cause security breaches, leading to a sub-optimal user experience.
7fc3f7cf58