Security researchers found a total of 250 million Microsoft
customer records spread on five unsecured servers that could have been accessed
by anyone using just a web browser. Microsoft has since secured the servers.
Unsecured Elasticsearch servers seem to be all the rage,
as various companies leave them unsecured and accessible from the Internet.
While Elasticsearch servers have very specific uses and are designed to provide
people with scalable and fast search capabilities, they also come with clear
instructions from the developers.
Besides the fact that Elasticsearch mustn’t be run as
root and can’t be directly exposed to the users, the databases can’t be
connected directly to the Internet.
Instead, an application needs to be used to make the proper requests, following
precise rules. In no scenario should an Elasticsearch server be found online,
let alone without any kind of authentication.
The five Elasticsearch servers identified
each contained the same data set of 250 Customer Service and Support (CSS)
records. The private data included email addresses, IP addresses, locations,
descriptions of CSS claims and cases, the emails of Microsoft’s support agents,
case numbers, resolutions, and remarks, along with internal notes marked as
“confidential.”
Once the breach was detected, and Microsoft notified, access
to the server was cut. It’s impossible to tell how long the data was available
online or how many people accessed it before Microsoft stepped in. Still, the
leaked information is exactly what’s needed for tech support scams.
Using this kind of data, scammers call people and
convince them they’re Microsoft employees. After all, who could have access to
this data other than Microsoft? Convincing people to install remote desktop
tools or phishing for additional information is the usual path taken by
scammers. It’s important to know that Microsoft never calls up people, for any
reason, and any interaction with the company is done exclusively from the customer’s
direction.