Contents:
On January 22, 2020, Microsoft reported a security breach that involved one of its customer databases. Between December 5 and December 31, 2019, a change made to the database’s network security group contained misconfigured security rules that allowed the exposure of data.
Microsoft did not specify how many records were compromised, however, according to Comparitech, 250 million Microsoft customer service and support records ended up being visible on the web.
The databases were discovered by Bob Diachenko, a security researcher, who notified Microsoft immediately. Within 24 hours, all servers were secured.
Kudos to MS Security Response team – I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve. https://t.co/PPLRx9X0h4
— Bob Diachenko (@MayhemDayOne) January 22, 2020
No malicious parties are known to have accessed the data during the time it was exposed.
What kind of data was exposed?
According to Diachenko, most of the personally identifiable information, such as email aliases, contact numbers, and payment information was redacted. However, many records, like customer email addresses, IP addresses, locations, descriptions of CSS claims and cases, Microsoft support agent emails, case numbers, or Internal notes marked as “confidential” contained plain text data.
In the blog post, Microsoft acknowledged that some data may have remained unredacted under certain conditions. For example, if an email address was written in a non-standard format (name “XYZ @contoso com” vs “XYZ@contoso.com”), the data may have been visible.
Microsoft’s response and action
After the incident, Microsoft took immediate action, apologized to its customers, and began notifying them.
Here are the measures they took to prevent future similar events:
- Auditing the established network security rules for internal resources.
- Expanding the scope of the mechanisms that detect security rule misconfigurations.
- Adding additional alerting to service teams when security rule misconfigurations are detected.
- Implementing additional redaction automation.
How to protect yourself from potential future scams
If you’re a Microsoft customer, you may become a target of scammers trying to impersonate Microsoft’s official staff. Thus, make sure you don’t fall for these scams and read the advice I’ve included below on how you can stay safe.
Do not engage with tech support scammers pretending to work for Microsoft
Surely, Microsoft tech support scams are not new. Even one of Heimdal’s employees received a fake IT support phone call a while ago but recognized it was a scam right away. You can read the full story here and even listen to the phone call recording if you are interested.
Of course, the main piece of advice, in this case, would be not to provide any information about yourself or allow the scammer to remotely access your computer.
Do not open phishing emails pretending to be from Microsoft
Now that the Microsoft data breach incident has been made public, it will be a great time for malicious actors to start sending email phishing campaigns. They may try to trick you into entering your Microsoft credentials so you can “reset” them afterward. In the past, we spotted a Microsoft phishing campaign that targeted Office365 users, with pages masquerading as official Microsoft and OneDrive pages.
In short, do not open these emails or click on the malicious links and you’ll be safe. And if you’d like to add an extra layer of safety to your organization, give our DNS filtering solution, Heimdal™ Threat Prevention, a try.
If you want to learn more about phishing (and spear-phishing, in particular) you may want to go through our complete guide. At the same time, here you can find out all you need to know about how social engineering tactics work.
Stay safe!