Microsoft has announced a data breach that affected one of its customer databases.
In a blog article, titled Access Misconfiguration for Customer Support Databases, the firm admits that between December 5 and December 31, 2019, a database used for “support case analytics” was effectively visible from the cloud to the world.
Microsoft didn’t give details of how big the database was. However, consumer website Comparitech, which says it discovered the unsecured data online, claimed the breach affected about 250 million records containing:
…logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to December 2019.
According to Comparitech, that same data was accessible on five Elasticsearch servers. The company would later inform Microsoft, which acted promptly and quickly secured the data.
In its official statetemt regarding the incident, Microsoft stated that “the vast majority of records were cleared of personal information,” meaning that it used automated tools to look for and remove private data.
However, some private data that was supposed to be redacted was missed and remained visible in the exposed information.
Microsoft didn’t say what type of personal information was involved, or which data fields ended up un-anonymised.
It did, however, give one example of data that would have been left behind, these being email addresses with spaces added by mistake which were not recognised as personal data and therefore escaped anonymisation.
This therefore means that if one’s email address was recorded as “email@example.com” their data would have been converted into a harmless form, whereas “name[space]@example.com” (an easy mistake for a support staffer to make when capturing data) would have been left alone.
I’m the face of the Breach and in a move to reassure its customers, Microsoft has promised to notify anyone whose data was inadvertently exposed in this way, but didn’t say what percentage of all records were affected.
And now, in the face of this breach, what should one do a d which steps is one required to take to stay safe and secure?
Paul Ducklin, the principal research scientist at Sophos, noted that it remains unknown “how many people were affected or exactly what personal data was opened up for those users.”
Ducklin stated that even though hundreds of millions of records were exposed, it sounds as though comparatively few people actually had recognizable email addresses in the leaked database.
In esence, this means that most people won’t actually receive warnings from Microsoft – but might well receive “warnings” from crooks claiming to be Microsoft.
“We also don’t know who else, besides Comparitech, may have noticed in the three weeks it was exposed, although Microsoft says that it “found no malicious use,” added Ducklin.
“We assume that if you don’t hear from Microsoft, even if you did contact support during the 2005 to 2019 period, then either your data wasn’t in the exposed database, or there wasn’t actually enough in the leaked database to allow anyone, including Microsoft itself, to identify you.”
In an article published on Sophos corporate blog, Naked Security on Tuesday January 22, Ducklin however warned that “it’s possible that crooks will contact you claiming that you were in the breach.”
The crooks, in a bid to benefit from the confusion and panic created by the breach, might urge potential targets to take steps to “fix” the problem, such as clicking on a link and logging in “for security reasons”, or to “confirm your account”, or on some other pretext.
“Remember: don’t click on links in security warnings, even if you think they’re real. That way you will avoid end up on phishing sites by mistake, and you won’t put in your password where you shouldn’t. Find your own way to any login pages you use, and never let yourself be frightened or cajoled into relying on contact data provided in an email,” emphasised Ducklin.
As a further precaution, Ducklin advised that:
- If you (ever) receive a security alert email, whether you think it is legitimate or not, avoid clicking on any links, calling any numbers or taking any online actions demanded in the email.
- Find your own way to the site where you would usually log in, and stay one step ahead of phishing emails!