back to article WindiLeaks: 250 million Microsoft customer support records dating back to 2005 exposed to open internet

Five identical Elasticsearch databases containing 250 million records of Microsoft customer support incidents were exposed on the internet for all to see for at least two days right at the end of 2019. On 28 December 2019, these databases were found by BinaryEdge, which crawls the internet looking for exposed data. This was …

  1. WolfFan Silver badge

    Microsoft support calls

    I've had a few 'support' calls from 'Microsoft', usually by 'Bob' or 'Jimmy' or 'Steven', with a pronounced Indian accent. Mostly Punjabi, actually. I always try to keep them on the phone as long as I possibly can. On several occasions I've kept them around for over 40 minutes. One of them was most irate after finally working out that I was stringing him along and became very unprofessional. I may have said something like 'tere maa mera phani chat de' or 'teri bebe nu das lagde meri lan chupan ley' in reply. Maybe.

    1. James O'Shea

      Re: Microsoft support calls

      'Bobby' is _my_ 'Microsoft' support guy. And his grandma doesn't cost $10, only five.

    2. TheVogon

      Re: Microsoft support calls

      Just forward the call to the Lenny bot.

      1. WolfFan Silver badge

        Re: Microsoft support calls

        Where's the fun in that? Getting them to waste an hour while you do actual work with occasionally picking up the phone, mumbling something, and putting the phone down again, and then watching them lose their tiny minds when they figure out that they've been had, now that's entertainment. Essentially saying "Your momma does donkeys!" when they start screaming makes it even better. I've learned some really great insults in Punjabi, Tamil, and Hindi, which I use on the next 'Microsoft' caller and which causes them to _really_ start to foam at the mouth. This is especially so when they see that I'm not taking their deadly insults seriously and am laughing my ass off. Man, do they foam when they hear me laughing! It always brightens up an otherwise dull day at the office.

  2. Martin Summers Silver badge

    I just saw this bulletin, sent it to the Reg but as usual they're ahead of me, 42 minutes in fact!

    In the bulletin it says "misconfigurations are unfortunately a common error across the industry. We have solutions to help prevent this kind of mistake, but unfortunately they were not enabled for this database".

    1. Anonymous Coward
      Mushroom

      Misconfiguration?

      If you can't be bothered with a password, blame misconfiguration!

      1. Doctor Syntax Silver badge

        Re: Misconfiguration?

        And they don't come more mis- than that.

  3. Oh Matron!

    Buzby....

    That'll be a call to the ICO then...

  4. Llama-made
    FAIL

    Only got yourself to blame, Microsoft

    Azure defaults to resources not having a network security group, which effectively defaults resources to being open to the whole internet if they have a public IP address, which most resources also default to.

    This was always a stupid idea, just like so many other Azure design decisions. At least with other clouds you have to try hard to leave your VM's networking wide open.

    Don't even get me started on the fact that there are about 8 ways to specify a network security rule in Azure, all incompatible and different.

    1. Anonymous Coward
      Anonymous Coward

      Re: Only got yourself to blame, Microsoft

      According to Microsoft's explanation, this was an internal DB and not related to Azure.

      1. Llama-made

        Re: Only got yourself to blame, Microsoft

        You reckon the multiple links to the Azure NSG documentation throughout Microsoft's explanation indicates the Elasticsearch nodes weren't hosted on Azure?

        No, this was hosted on Azure, intended to be for internal use only, and they screwed up because Azure's network security is a disaster waiting to happen.

    2. Claptrap314 Silver badge

      Re: Only got yourself to blame, Microsoft

      And yet...Azure is gaining ground on AWS. SML

      1. ecofeco Silver badge

        Re: Only got yourself to blame, Microsoft

        God help us all.

  5. Mark 85

    Hmm....

    The article mentions "at least two days". Makes one wonder how long it was actually open and who else found it. Seems to be too common..."we found an open db and they closed it" but no one ever says how long it was open or if it was accessed. That is until "haveIbeenpwned" says you've been exposed.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hmm....

      The email I got from Microsoft was:

      Microsoft has corrected an issue identified by a third-party security researcher where a database containing a subset of information related to customer support interactions was accessible to the internet between the dates of 5 Dec 2019 and 31 Dec 2019. This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services. Once identified, Microsoft mitigated the issue, and our security team’s investigation found no indication of malicious use of the database records. Our analysis of the support information indicates that specific personal or organizational identifiable information related to your support case was potentially visible.

      So more than a couple of days.

      Anon for a reason...

  6. Anonymous Coward
    Anonymous Coward

    3rd parties.

    A previous employer had databases similar this floating around unencrypted on external HDDs, on company and personal laptops, and in various clouds with who-knows-what permissions applied.

    Password policy was rubbish, SQL permissions were rubbish, every other server was exposed direct to the internet. It felt like a bad dream.

    It wouldn't surprise me at all if it's one of theirs!

  7. ecofeco Silver badge

    Another day

    Another hack.

    Seems only a few years ago it was just once a month.

    Good times. Good times.

    1. Phil Kingston
      Coat

      Re: Another day

      Not really a hack though if they just leave stuff out there in public.

      Me putting my unencrypted hard disk full of plain text full names, DOB's, credit card details etc in my coat ready to be left on the train on my homebound commute.

      1. T-Unit

        Re: Another day

        You clearly misconfigured your attire :)

  8. Kobus Botes
    Mushroom

    Telemetry

    I just wonder how long it will be before all the telemetry they have been collecting will become available for general consumption. I still believe it is just a matter of when, not if.

    1. Anonymous Coward Silver badge
      Holmes

      Re: Telemetry

      That will be how we discover the bandwidth limits of their cloud.

      Shall we conservatively say 100GB for each of 7 billion people? and you want to download that before they discover that it's open?

      1. James O'Shea

        Re: Telemetry

        Where would you store it? Azure? AWS? A really big local array?

      2. teknopaul

        Re: Telemetry

        It would be interesting to know. I think 100gb per person is a tad high.

        I rough estimate 100mb is enough for all my url history, for all time. ~100 urls per day.

        Devided by compression ratio.

        Reminds me of an argument I had with my brother one christmas (before snowden) about wheather full take was possible for phone calls and faxes for gchq. I argued it is possible and therefor they are doing it.

  9. Julz

    Whoosh

    Looks like you that your trying to configure for a data breach, I can help you with that...

  10. Groove-Cat

    Data Leeks

    Seriously, WTF is going on these days... too many times recently I read about data leeks.

    Are sysadmins becoming complacent or just fcuking lazy?

    1. Julz

      Re: Data Leeks

      Retiring.

    2. Alister

      Re: Data Leeks

      Are sysadmins becoming complacent or just fcuking lazy?

      No, they're just being bypassed by dev/ops who think they can do it themselves.

    3. not.known@this.address
      Coat

      Re: Data Leeks

      Not complacent or lazy, merely superseded by yes-men, yes-women and yes-(insert any/all other gender variations here) who don't make the PHB worry about such inconsequential matters as "privacy" or "security", and will happily enable whatever crap is advertised as a "must-have!" or "the next Big Thing!" because the boss asked them to.

      In fact, you might say these leeks are caused by all the good staff being put out to pasture... :-D

      1. hoola Silver badge

        Re: Data Leeks

        It is the Agile way. Develop stuff really quickly, check the important fluffy features work and push on. Any bugs can be fixed in a few releases time but it must all be good because we are delivering stuff (crap) quickly.

        Time and time again there are breaches notified and the were mostly caused by error or stupidity. We are not far off the point were there is so much stuff being harvested and then exposed that privacy ceases to exist. Compute has reached the point were the value or matching the data sets far outweighs the compute costs of doing the work.

        Then there is also the stuff that has been hidden because it is easier/cheaper/less risky to do so.

    4. Alister

      Re: Data Leeks

      Incidentally, unless you're talking about Welsh vegetables, it's LEAKS, not LEEKS

      1. Groove-Cat

        Re: Data Leeks

        saw my typo too late and thought fcuk it... :D

    5. John_3_16

      Re: Data Leeks

      AI security is only as good as the coders. M$ seems to have an extremely hard time even updating their own code so this leaving the vault doors open for an unknown extended time IS NOT surprising. Also not surprising is using 3rd world phone networks for customer service. My experience has been very negative as well. Usually requires snail mail for a solution. Even online chat services run through the same outfits.

      7 billion folks sure makes the hacks work harder. My financial status will put me in the bottom 50% so hopefully I will not attract their attention for at least a hundred years or so. :D

      Only going to get worse. Even money says Trump gets elected for another 4 years. WOW!

      Lord help us. God bless.

  11. N2
    Trollface

    Support calls?

    You need to re-install... x250million

  12. John Brown (no body) Silver badge

    On Call? Who, Me?

    Microsoft secured the databases over 30-31 December, winning praise from Diachenko for "quick turnaround on this despite [it being] New Year's Eve".

    Is this one we can expect to read about in a year or three?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like