Microsoft Error Exposed 250 Million Elasticsearch RecordsFive Customer Service Databases Were Left Internet-Accessible for Three Weeks
Microsoft accidentally internet-exposed for three weeks 250 million customer support records stored in five misconfigured Elasticsearch databases. While the company rapidly locked them down after being alerted, it's an embarrassing gaff for the technology giant, which has pledged to do better.
Security researcher Bob Diachenko discovered the databases on Dec. 29, 2019, using the BinaryEdge search engine, which scours the internet for metadata on connected devices. Diachenko alerted the Redmond, Washington-based technology giant, and within a day, Microsoft secured the databases, according to Comparitech, a U.K.-based product testing website, which works with Diachenko.
Kudos to MS Security Response team - I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve. https://t.co/PPLRx9X0h4— Bob Diachenko (@MayhemDayOne) January 22, 2020
Elasticsearch is a popular, open-source search engine and analytics platform used for large stores of data. Like Amazon S3 buckets, MongoDB and other cloud-based databases, Elasticsearch does not internet-expose data by default. But many administrators appear to have disabled the built-in security controls (see: Cloud Security: 'Big Data' Leak Prevention Essentials).
Indeed, nary a week goes by without a researcher discovering a breach along the lines of what Microsoft has just reported (see: Baby's First Data Breach: App Exposes Baby Photos, Videos).
Exposure Included Confidential, Internal Notes
In Microsoft's case, the company publicly disclosed the problem on Wednesday, saying the exposed data included email addresses, IP addresses, locations and customer support interactions - including case number and resolutions - as well as confidential internal notes.
The company apologized, blaming a misconfiguration of security rules. Microsoft says the investigation had not uncovered signs of malicious use, and it noted that most of the personal data that had been exposed was redacted.
“Misconfigurations are unfortunately a common error across the industry,” according to a blog post from Microsoft’s Security Response Center. “We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available.”
Roger Grimes, who was formerly a principal security architect at Microsoft and now is with the security firm KnowBe4, says the exposed data included no personally identifiable information, and said it would have been of limited use to hackers. Email addresses could be used for phishing, and internal configurations of some systems could be somewhat useful to attackers, but overall, the risk is low, he says.
“I’m stretching to find a bunch of high-risk use cases,” Grimes tells Information Security Media Group. “I don’t want to say that it’s benign, but it’s close. There’s no passwords, no financial info, no healthcare info, very little serious PII, etc. Again, any data leak is bad, but on a scale of 1 to 10 with 10 being the worse, this is easily below 5. Maybe even 3 or lower.”
Millions of Records
The databases contained what appeared to be identical copies of 250 million customer support records dating from 2005 through 2019, according to Comparitech.
Microsoft publicly disclosed the exposure on Wednesday, saying the databases were used by its internal customer service teams and that information pertaining to commercial cloud services, such as Azure, were unaffected.
"As we've learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available."
—Microsoft’s Security Response Center
Microsoft says the “vast majority” of the records were redacted, as it uses tools to automatically remove personal information. But some records may have been exposed under certain conditions.
“An example of this occurs if the information is in a non-standard format, such as an email address separated with spaces instead of written in a standard format (for example, 'XYZ @contoso com' vs 'XYZ@contoso.com'),” Microsoft says. “We have begun notifications to customers whose data was present in this redacted database.”
The company didn’t immediately respond to a query from Information Security Media Group asking what percentage of the exposed records may have included unredacted information.
Microsoft traced the exposure to a change that engineers made on Dec. 5, 2019. The network security group for the databases contained misconfigured security rules.
On Dec. 31, 2019, Microsoft fixed the configuration problem.
Microsoft Pledges to Do Better
As a result of the incident, Microsoft says it is taking steps to better lock down its use of cloud-based databases.
For example, the company has pledged to improve auditing of its security rules for internal resources as well as to expand the scope of tools it uses to search for any security rule misconfigurations. The company says it will also expand its alerting systems to try and sound red alerts whenever security rule misconfigurations occur.
Executive Editor Mathew Schwartz contributed to this story.