Microsoft Leaks 250M Customer Details in Azure Fat-Finger Faux Pas

A Microsoft customer support database has been discovered by researchers, open to the public internet. No encryption, no passwords, no nothin’.

Some of the data were redacted. But it turns out, the redaction process was buggy, too. Yikes.

If Microsoft can’t configure its own cloud service securely, what hope for the rest of us? In today’s SB Blogwatch, we fire up Teamviewer.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Make it so.


Azure FAIL

What’s the craic? Catalin Cimpanu reports—“Microsoft discloses security breach of customer support database”:

 An internal customer support database … was accidentally exposed online without proper protections between December 5 and December 31. [The] database consisted of a cluster of five Elasticsearch servers, a technology used to simplify search operations.

The servers contained roughly 250 million entries, with information such as email addresses, IP addresses, and support case details. … Microsoft blamed the accidental server exposure on misconfigured Azure security rules.

And Tim Anderson adds—“Quickly shuttered partially redacted leaky DB included ‘internal notes marked as confidential’”:

 These are logs of customer service and support interactions between 2005 and now. … Armed with this information, there is plenty of scope for identifying the customers, learning more about their internal IT systems [and] impersonating Microsoft support … thereby gaining access to personal computers or business networks. “Just a quick follow-up on case xxxx.”

The incident is embarrassing for Microsoft, undermining its efforts to keep its customers secure. Calls from fake Microsoft support staff are nothing new. … What’s different now is that they may be better informed than before, so … be even more wary.

Who found it? Bob Diachenko—channeled here by Paul Bischoff:

 Diachenko immediately notified Microsoft upon discovering the exposed data, and Microsoft took swift action. … “I immediately reported this to Microsoft and within 24 hours all servers were secured.”

Even though most personally identifiable information was redacted from the records, the dangers of this exposure should not be underestimated. The data could be valuable to tech support scammers, in particular.

This isn’t Microsoft’s first data security incident. In 2013, hackers broke into the company’s secret database for tracking bugs in its software. That breach … was never officially disclosed. [In] 2019, hackers compromised the account of a Microsoft support agent. The company said there was a possibility that the hacker accessed the contents of some Outlook users’ accounts.

Egg, meet face? Redmond PR mavens grimly channel Ann Johnson and Eric Doerr:

 We want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable. … Upon notification of the issue, engineers remediated the configuration on December 31.

In some scenarios, the data may have remained unredacted. … We have begun notifications to customers whose data was present in this redacted database.

Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. … It is good to periodically review your own configurations and ensure you are taking advantage of all protections available.

We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence.

Something must be done! josephg suggests something:

 I expect better from Microsoft, but I really don’t expect any better from the thousands of tiny startups out there. … I’ve been long arguing that there should be severe legal consequences for companies who leak data.

As much as I love the free market, we’re completely failing to protect consumers. … Unless the people involved suffer any serious consequences for leaking their customer’s data, they won’t bother spending the time and money to do a good job—and these breaches will continue to be commonplace.

But what’s all this about a failure to anonymize? gweihir explains:

 They only anonymized data in “standard” formats (as defined by MS, apparently). If, for example, your email is not in the format “[email protected]”, it stayed in plain.

Apparently they believe that running some simple regular expressions over the data and replace what is found is sufficient. The level of incompetence involved is staggering. Alternatively, they just did not care to do it right.

Elastic seems to attract these sorts of errors. Here’s farisjarrah to expand: [You’re fired—Ed.]

 Elasticsearch started life as a free product and security was a paid addon. … Elasticsearch is insecure out of the box and it takes extra steps to get it secured, and most people don’t do those steps even though its pretty well documented.

But Llama-made thinks this was an Azure problem:

 Azure defaults to resources not having a network security group, which effectively defaults resources to being open to the whole internet. … This was always a stupid idea, just like so many other Azure design decisions.

Don’t even get me started on the fact that there are about 8 ways to specify a network security rule in Azure, all incompatible and different.

So SlashDaniel asks the obvious question:

 If Microsoft doesn’t know how to properly secure their own Azure security rules, how do they expect their customers to?

Meanwhile, hoola blames Agile, DevOps, or the flavor of the month:

 Develop stuff really quickly, check the important fluffy features work and push on. Any bugs can be fixed in a few releases time but it must all be good because we are delivering stuff … quickly.

And Finally:

Picard Day

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Gregg Jackson (Pixabay)

Richi Jennings

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 590 posts and counting.See all posts by richi