2020-01-23
Microsoft Customer Service Records Exposed via Misconfigured Servers
Five improperly configured Elasticsearch servers resulted in the exposure of 250 million Microsoft customer support records for several weeks late last year. The exposure was due to misconfigured security rules that were implemented on December 5, 2019. Microsoft was notified of the problem on December 29, and had fixed the problem by December 31. All five servers stored the same information.
Editor's Note
One aspect of the story here is that if a company as skilled as Microsoft is making catastrophic configuration errors in setting up cloud and open source applications, how badly configured are those applications when used by less sophisticated organizations?

Alan Paller
If we cannot rely upon Microsoft to properly configure systems, it is unlikely that their customers will be able to do so. We need fewer choices, safe defaults out of the box, and better direction, documentation, and supervision.

William Hugh Murray
OWASP A6 "Security Misconfigurations" is really getting a lot of action with admin misconfigurations of cloud services and open source software in particular. The telling quote in the Microsoft Response Center blog post: "Misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database." Why not, and where else has this happened are the key questions: were the controls simply policy statements (This should be done) vs. gates (Database does not go production unless this has been done.)?

John Pescatore
Security misconfiguration of cloud services has become a recurring theme. While developers have embraced the ease of creating and deploying solutions, the criticality of appropriate access controls seems to be missed. Rapid deployment of solutions needs to include independent verification of the security settings prior to production release. When implementing services, particularly cloud-based, be sure to enable verification and monitoring of the security baseline.

Lee Neely
Read more in
MSRC Blog: Access Misconfiguration for Customer Support Database
Comparitech: Report: 250 million Microsoft customer service and support records exposed on the web
SC Magazine: Microsoft database misconfiguration exposes 250M customer support records
The Register: WindiLeaks: 250 million Microsoft customer support records dating back to 2005 exposed to open internet
ZDNet: Microsoft discloses security breach of customer support database