Last week, Microsoft announced that they fell victim to a data breach involving one of its customer databases. They state in a January 22nd blog article:
Our investigation has determined that a change made to the database’s network security group on December 5, 2019, contained misconfigured security rules that enabled exposure of the data. Upon notification of the issue, engineers remediated the configuration on December 31, 2019, to restrict the database and prevent unauthorized access. This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services.
This means that for 26 days, a database used for support case analytics was visible in plain text to anyone with a web browser. No password or authentication was required for anyone wishing to gain access. While Microsoft didn’t share details about how big the database was, Comparitech, who discovered the vulnerability, states that the database was found to contain about 250 million records containing conversation logs between Microsoft support agents and customers from all over the world spanning a period from 2005 to December 2019. It was unclear whether this unsecured data was accessed or used maliciously. However, information included in the breach consists of customer email addresses, IP addresses, locations, descriptions of CSS claims and cases, Microsoft support agent emails, case numbers, resolutions, remarks, and internal notes marked as “confidential.”
How does this affect me?
Microsoft hasn’t released information about just how many users were affected but promises to reach out to those affected to offer protection tips. Unfortunately, in cases like these, it is common for criminals to pose as Microsoft or other legitimate businesses falsely informing victims that they were affected by the breach and offering to “fix” the problem. In doing so, they’ll request that victims click on a link and “log in” or “confirm their account,” which in turn provides the criminals with your login credentials.
How can I stay safe?
- If you’re contacted by phone or by email by someone claiming to be from Microsoft, make sure you’re actually hearing from Microsoft and that it isn’t a criminal posing as Microsoft instead. You can do this by visiting Microsoft’s website directly, not the site provided in the email or by phone.
- Do not click on any links, call any phone numbers, or take any other online actions demanded in a security alert email until you have confirmed directly with the source that the alert is legitimate.Install browser protection.
- Products like Guardio scan each website that you visit to ensure that it’s safe. If something malicious is found, the site is immediately blocked before any damage is done. This way, if you should receive that scam email and be fooled into clicking on the link, you’ll be alerted before you’ve inadvertently shared your personal information with criminals.Use an account monitoring service. Guardio also offers account monitoring, which can alert you of account breaches so that you can take action to safeguard your accounts before criminals have had a chance to wreak havoc on your accounts, credit cards, and identity.