Security researchers found a total of 250 million Microsoft customer records spread on five unsecured servers that could have been accessed by anyone using just a web browser. Microsoft has since secured the servers.
Unsecured Elasticsearch servers seem to be all the rage, as various companies leave them unsecured and accessible from the Internet. While Elasticsearch servers have very specific uses and are designed to provide people with scalable and fast search capabilities, they also come with clear instructions from the developers.
Besides the fact that Elasticsearch mustn’t be run as root and can’t be directly exposed to the users, the databases can’t be connected directly to the Internet. Instead, an application needs to be used to make the proper requests, following precise rules. In no scenario should an Elasticsearch server be found online, let alone without any kind of authentication.
The five Elasticsearch servers identified each contained the same data set of 250 Customer Service and Support (CSS) records. The private data included email addresses, IP addresses, locations, descriptions of CSS claims and cases, the emails of Microsoft’s support agents, case numbers, resolutions, and remarks, along with internal notes marked as “confidential.”
Once the breach was detected, and Microsoft notified, access to the server was cut. It’s impossible to tell how long the data was available online or how many people accessed it before Microsoft stepped in. Still, the leaked information is exactly what’s needed for tech support scams.
Using this kind of data, scammers call people and convince them they’re Microsoft employees. After all, who could have access to this data other than Microsoft? Convincing people to install remote desktop tools or phishing for additional information is the usual path taken by scammers. It’s important to know that Microsoft never calls up people, for any reason, and any interaction with the company is done exclusively from the customer’s direction.