It turns out that Microsoft has leaked 250 million customer service records on the net for the past 14 years


by mohamed hassan

A research team at security company Comparitech reported that approximately 250 million Microsoft customer service and support (CSS) records were publicly available on the web. All data was accessible via a web browser without a password or other authentication.

Access Misconfiguration for Customer Support Database-Microsoft Security Response Center
https://msrc-blog.microsoft.com/2020/01/22/access-misconfiguration-for-customer-support-database/


250 million Microsoft customer service & support records exposed
https://www.comparitech.com/blog/information-security/microsoft-customer-service-data-leak/


According to a research team led by security researcher Bob Diachenko, Elasticsearch 's five public servers were indexed on BinaryEdge, which can scan the Internet for leaked data on December 28, 2019. thing.

Upon review of these servers, a record of conversations with Microsoft's CSS client for 14 years was included, including personal information such as client email and contract numbers, payment information, IP address, location, and internal notes. It turned out.

Mr. Diachenko immediately contacted Microsoft and found that the servers and data that had been released within 24 hours were protected. 'I commend Microsoft's support team for their swift response, despite the fact that they are very large,' said Diachenko.



Regarding the reason that the server containing personal information was set to public, Microsoft said, `` Because the change of the network security group of the database performed on December 5, 2019 included security rules with incorrect configuration '' Talking. Microsoft said, 'Unfortunately, server misconfiguration is a common error throughout the industry. There are solutions to prevent this kind of mistake, but unfortunately it was not enabled for this database. We recommend that you periodically review your own configuration and take advantage of all available protection features. '

`` If a scammer had access before the data was protected, it would not only lead to phishing scams , but also impersonate Microsoft and other companies' call center agents, '' said Paul Bischoff, a technologist at Comparitech. There can be scams that put malware on the victim's machine or steal data. '

in Security, Posted by log1i_yk