Anatomy of a Breach

Anatomy of a Breach: Microsoft — 250 Million Customer Service Records Exposed via Misconfigured Elasticsearch

> series: anatomy_of_a_breach —— part: 133 —— target: microsoft —— records: 250,000,000 —— authentication: none —— span: 14_years<span class="cursor-blink">_</span>_

Hedgehog Security 31 January 2020 12 min read
microsoft elasticsearch misconfiguration 250-million customer-service no-authentication series
Breach #133

250 million records. 14 years of customer data. Five Elasticsearch servers with no password. Microsoft.

On 22 January 2020, security researcher Bob Diachenko reported that five Elasticsearch servers belonging to Microsoft were exposed to the internet without any authentication, containing approximately 250 million customer service and support records. The data spanned 14 years and included email addresses, IP addresses, geographic locations, descriptions of support cases, Microsoft support agent emails, case numbers, resolutions, and internal remarks — some marked as 'confidential.'

Microsoft confirmed the misconfiguration and secured the servers within 24 hours of notification. The company attributed the exposure to misconfigured network security group rules on the Elasticsearch instances. The incident was directly comparable to the Ecuador database exposure (2019) and the MongoDB ransomware wave (2017) — unauthenticated databases exposed to the internet — but with a crucial difference: this time, the organisation was Microsoft itself, demonstrating that misconfiguration is a universal risk regardless of technical expertise.

Misconfiguration Is Universal
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

If Microsoft can misconfigure Elasticsearch, so can you.

The Same Vulnerability — Year Four
Unauthenticated databases exposed to the internet have appeared in 2017 (<a href="/blog/anatomy-of-a-breach-mongodb-ransomware">MongoDB</a>), 2019 (<a href="/blog/anatomy-of-a-breach-ecuador">Ecuador</a>), and now 2020 (Microsoft). The vulnerability class persists because cloud deployment makes it easy to create internet-facing database instances without security review. Our <a href="/penetration-testing/cloud-configuration-review">cloud configuration reviews</a> specifically check for exposed database services.
Microsoft Is Not Immune
If Microsoft — one of the world's most technically sophisticated organisations — can accidentally expose 250 million records through a misconfigured network security group, no organisation can assume its cloud configurations are correct without verification. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> provides that verification.
14 Years of Accumulated Data
The exposed database contained 14 years of customer service records — highlighting the risk of data accumulation without retention policies. Under GDPR, data must be retained only as long as necessary. <a href="/cyber-essentials">Cyber Essentials</a> and GDPR compliance both require data minimisation practices.
Rapid Response — 24 Hours
Microsoft secured the servers within 24 hours of notification — a rapid response that limited exposure. <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides the monitoring that detects misconfigurations proactively, before external researchers find them. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> enables rapid containment.
Lessons

Verify your cloud configurations. Continuously. Automatically. Now.

The Microsoft exposure reinforced that cloud configuration verification must be continuous and automated — not a one-off exercise. Network security groups, access policies, and authentication settings can be changed at any time by any administrator, and a single misconfiguration can expose millions of records. Cyber Essentials mandates secure configuration. Our cloud configuration reviews identify exposed services. External vulnerability scanning detects publicly accessible databases. SOC in a Box monitors for configuration changes that create exposure. And UK Cyber Defence provides incident response when exposures are discovered.

Cloud Configuration

Microsoft exposed 250 million records through an Elasticsearch misconfiguration. Have your cloud configs been verified?

Our <a href="/penetration-testing/cloud-configuration-review">cloud reviews</a> find exposed databases. <a href="/vulnerability-scanning">External scanning</a> detects public services. <a href="/cyber-essentials">Cyber Essentials</a> mandates secure configuration.

Commission a Cloud Review Next: Clearview AI
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 September 2019

Anatomy of a Breach: Ecuador — 20.8 Million Citizens Exposed, Including the Dead

Breach #129. In September 2019, security researchers at vpnMentor discovered an unsecured Elasticsearch server containing the personal data of approximately 20.8 million Ecuadorians — more than Ecuador's entire living population of 17 million, because the database also included records of deceased citizens. The exposed data included names, dates of birth, national ID numbers, tax identification numbers, employment information, family relationships, car registration details, and bank account information. The server was operated by Novaestrat, a local analytics company, and required no authentication to access.

data-breach ecuador
12 min read
Anatomy of a Breach 31 January 2017

Anatomy of a Breach: The MongoDB Ransomware Wave — When Thousands of Databases Were Left Open to the Internet

Breach #097. In January 2017, attackers began systematically scanning the internet for MongoDB databases that had been deployed without authentication — and finding tens of thousands of them. The attackers deleted the data and left ransom notes demanding Bitcoin for its return. Within weeks, over 28,000 MongoDB instances had been hit, along with thousands of Elasticsearch, Hadoop, and CouchDB deployments. The attacks required zero sophistication — the databases had no passwords at all. The breach wave that proved misconfiguration is the new vulnerability.

mongodb ransomware
12 min read
Anatomy of a Breach 31 January 2024

Anatomy of a Breach: Microsoft — Russia's Midnight Blizzard Reads Executives' Email Through a Legacy OAuth App

Breach #181. In January 2024, Microsoft disclosed that Midnight Blizzard (Nobelium/APT29, Russia's SVR foreign intelligence service — the same group behind SolarWinds) had accessed the email accounts of Microsoft's senior leadership, cybersecurity staff, and legal teams. The attack began in November 2023 via password spraying against a legacy test tenant account that lacked MFA. The compromised account had permissions to a legacy OAuth application, which the attackers used to gain access to Microsoft's corporate email. The world's largest technology company — maker of the software that runs most of the world's businesses — was compromised through a test account with no MFA.

microsoft midnight-blizzard
14 min read
All Posts Get in Touch