Application Security & Online Fraud , Big Data Security Analytics , Breach Notification

Microsoft Error Exposed 250 Million Elasticsearch Records

Five Customer Service Databases Were Left Internet-Accessible for Three Weeks
Microsoft Error Exposed 250 Million Elasticsearch Records

Microsoft accidentally internet-exposed for three weeks 250 million customer support records stored in five misconfigured Elasticsearch databases. While the company rapidly locked them down after being alerted, it's an embarrassing gaff for the technology giant, which has pledged to do better.

See Also: Healthcare in The Cloud: Detecting and Overcoming Threats to Ensure Continuity & Compliance

Security researcher Bob Diachenko discovered the databases on Dec. 29, 2019, using the BinaryEdge search engine, which scours the internet for metadata on connected devices. Diachenko alerted the Redmond, Washington-based technology giant, and within a day, Microsoft secured the databases, according to Comparitech, a U.K.-based product testing website, which works with Diachenko.

Elasticsearch is a popular, open-source search engine and analytics platform used for large stores of data. Like Amazon S3 buckets, MongoDB and other cloud-based databases, Elasticsearch does not internet-expose data by default. But many administrators appear to have disabled the built-in security controls (see: Cloud Security: 'Big Data' Leak Prevention Essentials).

Indeed, nary a week goes by without a researcher discovering a breach along the lines of what Microsoft has just reported (see: Baby's First Data Breach: App Exposes Baby Photos, Videos).

Exposure Included Confidential, Internal Notes

In Microsoft's case, the company publicly disclosed the problem on Wednesday, saying the exposed data included email addresses, IP addresses, locations and customer support interactions - including case number and resolutions - as well as confidential internal notes.

The company apologized, blaming a misconfiguration of security rules. Microsoft says the investigation had not uncovered signs of malicious use, and it noted that most of the personal data that had been exposed was redacted.

“Misconfigurations are unfortunately a common error across the industry,” according to a blog post from Microsoft’s Security Response Center. “We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available.”

Roger Grimes, who was formerly a principal security architect at Microsoft and now is with the security firm KnowBe4, says the exposed data included no personally identifiable information, and said it would have been of limited use to hackers. Email addresses could be used for phishing, and internal configurations of some systems could be somewhat useful to attackers, but overall, the risk is low, he says.

“I’m stretching to find a bunch of high-risk use cases,” Grimes tells Information Security Media Group. “I don’t want to say that it’s benign, but it’s close. There’s no passwords, no financial info, no healthcare info, very little serious PII, etc. Again, any data leak is bad, but on a scale of 1 to 10 with 10 being the worse, this is easily below 5. Maybe even 3 or lower.”

Millions of Records

The databases contained what appeared to be identical copies of 250 million customer support records dating from 2005 through 2019, according to Comparitech.

Microsoft publicly disclosed the exposure on Wednesday, saying the databases were used by its internal customer service teams and that information pertaining to commercial cloud services, such as Azure, were unaffected.

"As we've learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available."
—Microsoft’s Security Response Center

Microsoft says the “vast majority” of the records were redacted, as it uses tools to automatically remove personal information. But some records may have been exposed under certain conditions.

“An example of this occurs if the information is in a non-standard format, such as an email address separated with spaces instead of written in a standard format (for example, 'XYZ @contoso com' vs ''),” Microsoft says. “We have begun notifications to customers whose data was present in this redacted database.”

The company didn’t immediately respond to a query from Information Security Media Group asking what percentage of the exposed records may have included unredacted information.

Microsoft traced the exposure to a change that engineers made on Dec. 5, 2019. The network security group for the databases contained misconfigured security rules.

On Dec. 31, 2019, Microsoft fixed the configuration problem.

Microsoft Pledges to Do Better

As a result of the incident, Microsoft says it is taking steps to better lock down its use of cloud-based databases.

For example, the company has pledged to improve auditing of its security rules for internal resources as well as to expand the scope of tools it uses to search for any security rule misconfigurations. The company says it will also expand its alerting systems to try and sound red alerts whenever security rule misconfigurations occur.

Executive Editor Mathew Schwartz contributed to this story.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.