Microsoft Security Shocker As 250 Million Customer Records Exposed Online

Forbes ^ | Jan 22, 2020 | Davey Winder

[dayglored]

A new report reveals that 250 million Microsoft customer records, spanning 14 years, have been exposed online without password protection.

Microsoft has been in the news for, mostly, the wrong reasons recently. There is the Internet Explorer zero-day vulnerability that Microsoft hasn't issued a patch for, despite it being actively exploited. That came just days after the U.S. Government issued a critical Windows 10 update now alert concerning the "extraordinarily serious" curveball crypto vulnerability. Now a newly published report, has revealed that 250 million Microsoft customer records, spanning an incredible 14 years in all, have been exposed online in a database with no password protection.

Paul Bischoff, a privacy advocate and editor at Comparitech, has revealed how an investigation by the Comparitech security research team uncovered no less than five servers containing the same set of 250 million records. Those records were customer service and support logs detailing conversations between Microsoft support agents and customers from across the world. Incredibly, the unsecured Elasticsearch servers contained records spanning a period from 2005 right through to December 2019. When I say unsecured, I mean that the data was accessible to anyone with a web browser who stumbled across the databases: no authentication at all was required to access them, according to the Comparitech report.

[Much more, and many embedded reference links, at the link]

[dayglored]

Yikes. Could be worse, but it's pretty awful.

[dayglored]

Microsoft security breach, WHOOPSIE ... PING!

You can find all the Windows Ping list threads with FR search: just search on keyword "windowspinglist".

[Red Badger]

Ironically funny...............

[Pearls Before Swine]

Maybe they could offer a password manager as an enhancement to Explorer. /S

[Fido969]

Operating systems like Windows were designed so that advertisers, cookies, server farms could access your computer processes easily. They are primarily designed to work for the marketers and data miners. It’s why there are barn-door sized holes that hackers can drive Mack trucks through.

[dayglored]

From the article:

"...Those records were customer service and support logs detailing conversations between Microsoft support agents and customers from across the world..."

On the one hand, those were private conversations that could contain security-damaging exchanges and data.

On the other hand, they probably MOSTLY contained the same information as thousands of "support forum" pages on hundreds of public sites. The difference being that these are identified as real people and companies, not just anonymous forum handles.

Let's hope MS does better with their new JEDI contract.

[Calvin Locke]

Could be worse...

The Boston Glob, when it was owned by the NYT, once reused computer printouts of its credit card customers' info to wrap the hot off the presses bundles of its fishwrap, literally putting all that info out on the streets of greater Boston.

That was for a fairly limited time, not 14 years.

[ProtectOurFreedom]

Someday a password manager company is going to be hacked. They have to be the juiciest targets around.

[Pearls Before Swine]

Someday a password manager company is going to be hacked. They have to be the juiciest targets around.

I forgot the "/S". My bad.

[Terry L Smith]

Aw, gee whiz, Mr Wilson
First, my complete Office of Personnel Mgmt info, back to ‘80 was stolen by the Chinese!
Then, it was Yahoo, and all my stuff there!
Then, it was Capital One!
Now, it is Microsoft!!!!!

[ProtectOurFreedom]

Most of those recorded sessions probably went something like this:

“First, is your computer plugged in? Second, have you tried Ctrl-Alt-Delete? Third, is your mouse plugged in?”

[Tell It Right]

"Let's hope MS does better with their new JEDI contract."

Exactly what I first thought.

[Revel]

This probably really helped out those spammers from India who claim to be from Microsoft. If you could recite past info then it would add to their credibility.

[a fool in paradise]

Gee

[thoughtomator]

If you give any information to any company of significant size, you should expect that information will get out into the wild. Any promises of privacy or data protection are functionally unenforceable and moot once the data is out there.

[Tolerance Sucks Rocks]

Yes, apparently Jeff Daniels and Jim Carrey were in charge of Microsoft security.

PING!

[nicollo]

haha, literally it's this one:

To better assist you, please answer the following questions:

1. Did you make any changes to the system prior to the issue?
2. Do you have any third party security software installed in the computer?
3. Was the scan completed successfully?

I suggest you to try scanning the drives for error by following the steps below and check again.
1. Press Windows key + E.
2. Click "This PC".
3. Right-click the drive that you want to check, and then click Properties.
4. Click the Tools tab, and then, under Error-checking, click Check now. If you're prompted for an administrator password or confirmation, type the password or provide confirmation.

Depending on the size of your drive, this might take several minutes. For best results, don't use your computer for any other tasks while it is checking for errors.

Let us know the result.

[mlo]

Feeling happy I’ve never called Microsoft support.

[Engedi]

I won’t use those for fear that it will get hacked someday. Just a matter of time.

[rockrr]

Over the years I’ve contacted them several times. The outfit I worked for had a natural Affinity for breaking things. We stumped them a few times.