Security News > 2020 > January > Microsoft Leaves 250M Customer Service Records Open to the Web

UPDATE. Misconfigured Microsoft cloud databases containing 14 years of customer support logs exposed 250 million records to the open internet for 25 days.

"Tech support scams entail a scammer contacting users and pretending to be a Microsoft support representative. These types of scams are quite prevalent, and even when scammers don't have any personal information about their targets, they often impersonate Microsoft staff. Microsoft Windows is, after all, the most popular operating system in the world."

"Remember that Microsoft never proactively reaches out to users to solve their tech problems-users must approach Microsoft for help first. Microsoft employees will not ask for your password or request that you install remote desktop applications like TeamViewer. These are common tactics among tech scammers."

"These are the more worrying facts that arise from this incident: Access to the data was not protected using username and passwords, although for this level of confidentiality I would expect it to be protected using multifactor authentication; not all data was encrypted; data about a customer is being retained well past what I would think reasonable - 14 years' worth of support data strikes as beyond a sensible data retention interval; from the disclosure, the threat surface was exposed for 25 days, although Microsoft found no evidence of malicious use, it is quite a long interval of exposure; and poor governance. If the correct policies and processes where enforced effectively, this type of event should be near impossible to occur."

"The security controls that Microsoft has selected after the incident are all reasonable for an organization of this size and importance, I would expect them to be already in place, especially when dealing with customer data."

News URL

https://threatpost.com/microsoft-250m-customer-service-records-open/152086/