For most of us, the Holiday period is a time of meetings with the family and well-deserved rest. But as it turns out, there are those who spend this time searching for security gaps. And not just that... As we learn from a note published today, a database configuration error caused that basically every Internet user had the opportunity to take a peek at 250 million records from the database of the customer service and support department of no one else but Microsoft.
Bugs R Us...
The gap was discovered by Bob Diachenko of Comparitech on December 29 last year. Microsoft patched it up within two days and explains that the problem was caused by an "incorrect configuration" of one of the internal support databases. Company representatives also points out that there is no evidence that publicly available information has been used in any unlawful manner.
Among other things, logs from maintenance calls with users were stored on the server until 2005. According to Comparitech, the database was not password-protected.
Meanwhile, Microsoft defends itself by claiming that the 'vast majority' of personal data has been blackened. However, Comparitech discovered that some information, such as user email and IP addresses, was stored as plain text. If someone accessed them, they may not have been able to use them directly to cause harm, but they allowed for the smooth impersonation of Microsoft's technical support and tscamming the user of further data.
"We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence," wrote Microsoft in the note.
Due to the recent leak, Microsoft has also decided to audit its internal security policies and to implement tools that will automatically blacken sensitive user data. New alerts will also be introduced to immediately inform service technicians about errors in server configuration.
A ticking bomb
For Microsoft, this is the second such serious incident related to the customer service department during the year, as there was another leak in April 2019. According to the company, hackers then used the login data of one of their employees to access users email accounts. However, it seems that the biggest problem in both situations turns out to be the fact that maintenance staff have almost unlimited access to user information, which makes them a very high target for hackers. As Dave Aitel of Cyxter said early last year, "technical support is a gap waiting to be discovered." These were prophetic words...