Configuration Error Reveals 250 Million Microsoft Support Records
Some the records, found on five identically configured servers, might have contained data in clear text.
Researchers have found five servers revealing almost 250 million Customer Service and Support (CSS) records. Each server contains what appears to be the same set of data stored, with no security or authentication. In a blog post, Microsoft acknowledged the exposure and blamed it on misconfigured security rules after changes made in early December.
A security research team at Comparitech, led by Bob Diachenk, discovered the five Elasticsearch servers in late December. According to Microsoft, the vast majority of the records had all personally identifiable information redacted through automated processes, though the company admitted that some records with unusually formatted data might have contained data in clear text.
In the blog post revealing its research, Comparitech noted that Microsoft acted quickly to secure the servers, completing the action within 24 hours of notification.
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "The Y2K Boomerang: InfoSec Lessons Learned from a New Date-Fix Problem."
About the Author
You May Also Like