From a recent report, it was revealed that as much as 250 million Microsoft customer records have been exposed online without any password protection spanning back to 2006.
It has been a nightmare for Microsoft in terms of PR recently. Firstly, a computer software vulnerability known as Zero-day vulnerability was found in Internet Explorer. Despite the problem being actively exploited, Microsoft still hasn’t issue a fixing patch for it.
The news came just days after a critical alert was issued by the U.S. Government regarding the Windows 10 update which is prone to malicious attack affecting almost 900 million users.
To rub salt into the wound, a recently published report by The Comparitech security research team discovered that as much as 250 million Microsoft customer records have been exposed online since November 2005 in a database without any password protection.
How the records were exposed online, and what records were exposed?
According to a privacy advocate and editor at Comparitech, Paul Bischoff, the investigation by Comparitech security research team discovered no less than five servers containing the same set of 250 million records. These records consisted off support logs and customer service detailed conversations between world-wide customers and Microsoft support agents. Incredibly, these records which was found on the unsecured Elasticsearch servers, dated back all the way to 2005 right through December 2019. The report stated that the data was easily accessible to anyone with a web browser, no authentication at all was required in order to access them.
The data that was exposed, included:
- Customer Email addresses
- IP addresses
- Geographical locations
- Description of Customer Service & Support Claims
- Microsoft support agent emails
- Case Numbers
- Case Resolutions
- Internal notes marked as confidential
Fortunately though, Microsoft was quick to solve the issue once it was notified to them and all servers were secured. However, questions still remains about how it was allowed at the first place and how didn’t anyone from Microsoft security team noticed it?
