A Comparitech security research team led by Bob Diachenko has discovered five Elasticsearch servers containing Microsoft customer service records easily accessible to anyone with a web browser.
Let’s take a look at this latest breach and why Elasticsearch software appears so often in online data exposure incidences.
On December 28, and 29, 2019, the 250 million customer service and support records were left unprotected on the internet, without any password protection or authentication requirements. The records, as per Comparitech, are logs of conversations between Microsoft support agents and Microsoft customers. They cover a 14-year period between 2005 and December 2019.
The five servers appeared to each contain identical sets of the 250 million records. They were identified by Diachenko who immediately contacted Microsoft. The researcher says:
“I immediately reported this to Microsoft and within 24 hours all servers were secured, I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve.”
Microsoft’s General Manager, Eric Doerr, has also commented:
“We’re thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyze data, and notify customers as appropriate.”
Over December 30 and 31, Microsoft secured the servers and the exposed data and both Diachenko and Microsoft continued the investigation and breach management process. It’s not known if any unauthorized parties accessed the data whilst it was exposed.
Diachenko revealed that much personally identifiable information including email aliases, contact telephone numbers, and payment information, was redacted. But the records did contain plain text data which did include email addresses, IP addresses, customer locations, and descriptions of customer service and support “claims and cases.” The exposed information also included the email addresses of Microsoft support agents, case numbers, resolutions and remarks, and even internal notes that were marked confidential.
Comparitech reporter and VPN expert Paul Bischoff writes:
“Even though most personally identifiable information was redacted from the records, the dangers of this exposure should not be underestimated. The data could be valuable to tech support scammers, in particular.”
Tech support scams can often involve a scammer pretending to be a Microsoft support representative and occur frequently, usually without scammers having personal information about the potential victims. Armed with actual customer support information these types of scams could be far more effective, and lead to victims revealing sensitive information or allowing access to their devices. Bischoff warns:
“Microsoft customers and Windows users should be on the lookout for such scams via phone and email. Remember that Microsoft never proactively reaches out to users to solve their tech problems—users must approach Microsoft for help first.”
Microsoft also never asks for a password or requests users to install applications which allow access to a user’s desktop – like TeamViewer.
– Watch our free taster sketch “Phishing Emails in Real life” from our hilarious Sketches security awareness training series
Why are Elasticsearch Databases so often at the route of data exposures and breaches?
It may not have escaped your attention that there have been a number of high-profile data breaches and reports of unsecured information discovered on the internet in Elasticsearch databases or servers. Infosecurity writer Danny Bradbury questioned this trend in February 2019, speaking to Mike Paquette, security product director at Elasticsearch.
Firstly, Elasticsearch is open source software which allows users to index and search unstructured data. Bradbury describes Elasticsearch as a “massive bucket for all your enterprise information. It slurps up everything from emails to spreadsheets and social media posts, and then lets you search it. It is a valuable repository for all kinds of enterprise information.” Paquette says:
“Recent reports about sensitive data being exposed in Internet-facing Elasticsearch instances are not related to defects or vulnerabilities in Elastic-developed software.”
The Elasticsearch product director says the problem is a lack of understanding of Elasticsearch security and how the software works. He adds:
“Reports usually involve instances where individuals or organizations have actively configured their installations to allow unauthorized and authenticated users to access their data over the internet.”
Paquette explains Elasticsearch tries to prevent unauthorised access to its databases by design. It connects Elasticsearch to local addresses meaning, as per Bradbury, “if an administrator wants to communicate outside the local machine, it has to be configured to do so.”
Problems potentially arise if, for example, a user is deploying Elasticsearch in the cloud and chooses open internet access. Paquette warns extra work needs to be done to secure Elasticsearch databases accessed and stored in the cloud. He adds that developers may relax controls on development or testing systems on the internet for convenience but may unwittingly neglect to change back the configuration when their work moves to production.
Bradbury also writes that the free version of Elasticsearch only includes its X-Pack security features during a trial. X-Pack includes role-based access control and encryption. But the author also illustrates that Elasticsearch databases can be protected without using its paid option. Bradbury writes:
“Even if you don’t use that paid option, though, there are still plenty of things you can do to stop your entire Elasticsearch database from showing up on the public Internet.”
Elasticsearch users should check their configuration settings
There is no clue apparent yet as to the reason for Microsoft’s Elasticsearch data exposure. We don’t know how the company uses and secures Elasticsearch.
The lesson for our readers and clients here at The Defence Works is clear. Consider how many companies have seen “data breaches” and information exposed on Elasticsearch databases. If your company uses Elasticsearch software or similar, it’s time to conduct a full audit of your configurations to ensure that your company and customer data is fully protected.
Want to learn more about empowering employees with security awareness training? Sign up for a free demo and find out how we’re already helping organisations just like yours.