Posted on 01/22/2020 2:26:58 PM PST by dayglored
A new report reveals that 250 million Microsoft customer records, spanning 14 years, have been exposed online without password protection.
Microsoft has been in the news for, mostly, the wrong reasons recently. There is the Internet Explorer zero-day vulnerability that Microsoft hasn't issued a patch for, despite it being actively exploited. That came just days after the U.S. Government issued a critical Windows 10 update now alert concerning the "extraordinarily serious" curveball crypto vulnerability. Now a newly published report, has revealed that 250 million Microsoft customer records, spanning an incredible 14 years in all, have been exposed online in a database with no password protection.
Paul Bischoff, a privacy advocate and editor at Comparitech, has revealed how an investigation by the Comparitech security research team uncovered no less than five servers containing the same set of 250 million records. Those records were customer service and support logs detailing conversations between Microsoft support agents and customers from across the world. Incredibly, the unsecured Elasticsearch servers contained records spanning a period from 2005 right through to December 2019. When I say unsecured, I mean that the data was accessible to anyone with a web browser who stumbled across the databases: no authentication at all was required to access them, according to the Comparitech report.
[Much more, and many embedded reference links, at the link]
(Excerpt) Read more at forbes.com ...
Thats what happens when a majority of Microsoft’s workforce is made up of lying, cheating unqualified H1Bs from India and Communist China
p
I would never use an online password manager. That's just asking for it IMO. There are a number of good desktop programs folks can use. Password Safe was originally written by Bruce Schneier, a rather well-known cryptographer. He's since handed it off to others, but the program is still open source so anyone can see how it works, and it can therefore be validated not to have nasty surprises buried in it.
Personally, I use Keepass2, but it's a Linux program. Also open source and can read a Password Safe database. As long as you have a nicely complex and reasonably long passphrase for your password manager, you should be OK.
I think Microsoft was about to be exposed for selling, sharing confidential customer info for years so they threw it all out onto the street and will now say all the exploitation is new and not done intentionally, historically, for money, “Shocked! Shocked, I tell you.
LastPass says this means:
1. All encryption and decryption happens on your computer.I also do two other things to make it safe: I use a long, tough passphrase AND I use two-factor authentication with a physical YubiKey.
When you create your LastPass account, an encryption key is created on your computer (your Master Password, or MP, and email go through a complex, irreversible process known as hashing to form your encryption key). Any sensitive data you then save to your account is ‘locked up’ by the encryption key while still on your computer, then sent in encrypted form to LastPass’ server.2. The sensitive data that is harbored on our servers is always encrypted before it’s sent to us, so all we receive is gibberish.
Since the encryption key is locally created each time you submit your MP and email, all that we store and have access to on our servers is your encrypted data. Without your unique encryption key, your sensitive data is meaningless gibberish. Even if someone were to mandate that we provide a copy of our database, the data would still be unreadable without your encryption key.3. We never receive the key to decrypt that data.
.
Nothing new with asymmetric methods. Oddly, the short but randomized salt is typically clear. But that’s okay. It’s meant to make your ordinary password that much more special...
The prob with LastPass is the single point of entry that inevitably grants access to the other keys. Also, the browser hooks are weird. How do you know LastPass isn’t being impersonated, and your prompted for your special secret?
Whatever the best method is, it should have enough entropy to stall systematic attacks — long enough to be detected by systematic counter measures. And today’s best-practices likely suffice. No doubt these “shocking” attacks involve antiquated security practices.
Fascinating stuff.
And that is why I have my own domain and make up a different email address for every single company. When they get hacked emails sent to that address go straight to trash.
That’s exactly how it should be done. There is no reason for the site to actually have the passwords. There is a Keepass for Android, and I’ve thought about using it, but I just don’t trust the device enough. Keeping the two devices in sync would be a pain anyway. One of the things I like about using a password manager is that it makes really excellent passwords. They are 20 character random ascii. They won’t be cracked. I have no idea what the passwords are to the vast majority of websites I go to, especially if I’d ever use a credit card on them.
That’s my strategy, too. All my important sites have a very tough LastPass generated pw
I’m sure I have a ton of records in this database. And I used to do support, also. So both ways.
I really don’t care though. Privacy is dead in the online age.
Microsoft Security Shocker? Isn’t that an oxymoron? That’s akin to saying “government efficiency,” only inside out.
The company I work for switched over to Office 365 over the past few years and our data is on their sharepoint servers. We have to log in about every 15 minutes to our sites.
I have to get a text sent to my cell phone several times a day which is real annoying. Everything is slower on the computer as everything you do is uploaded to their servers. Outlook will say Not responding for a while then recover, Word, Excel are slow due to the “cloud”.
They have had outages at times and you cannot get your work done til they fix it. 3 I read about in different parts of the country since we signed up with them. Our company fired about half the IT dept and replaced them with Microsoft. Nothing better then putting your company at risk to strangers.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.