250 million Microsoft records containing sensitive information from the past fourteen years have been found on the web, exposed and left accessible without any password protection or authentication.
The data, found by security researchers from Comparitech on five Elasticsearch servers each holding identical datasets pertaining to discussions between Microsoft clients and service agents, from 2005 up until December 2019.
Although many of the private details were censored, other records were comprised of plain text and included geographical locations, IP addresses, service agent and customer email addresses, details on the issues experienced, as well as, resolutions, case numbers, and confidential notes.
BinaryEdge, a search engine focusing on threat intelligence, flagged the data on December 28, 2019, where it was noticed by Bob Diachenko, the Head of the Comparitech security research team, who commented on the breach stating, “I immediately reported this to Microsoft, and within 24 hours, all servers were secured,”
The data was not secure allowing anyone with internet access who came across the datasets, without requiring any additional authentication, to view the sensitive information.
Microsoft Security Response Center’s General Manager Eric Doerr, said, “ “We’re thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyze data, and notify customers as appropriate.”
In a statement issued on January 22, 2020, via a Microsoft Security Response Center post the company said, “the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable.”
“We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence.”
The fourteen years’ worth of information was available online from December 5, 2019, until the situation was corrected on December 31, 2019. According to the company, the leak was due to “misconfigured security rules.”