This Could Be Really BAD!

[V.T. Eric Layton]

Microsoft Discloses Security Breach of Customer Support Database - ZDNet

[securitybreach]

Quote

The database was spotted and reported to Microsoft by Bob Diachenko...

 

I read that as "The database was spotted and reported to Microsoft Bob".

[Digerati]

Really bad? As breaches go, this one seems very benign. The vast majority of the data was anonymized. It did not affect Microsoft accounts (which would have been really REALLY bad), but customer support case information. Most of the personal data was redacted so very little personal data other than "non-standard" formatted email addresses and IP addresses were potentially vulnerable. Plus as exposures go, less than 4 weeks was a very short time, and it was fixed on the same day reported. 

 

Of course any breach is unacceptable. Period. So I am not, in any way, trying to make excuses. And of course, Microsoft knows they are not just a primary target of the bad guys, they also know any bad press WILL be blown way out of proportion by those in the IT press seeking attention with sensationalize headlines. So for sure, Microsoft should have been more diligent at preventing this incident in the first place, and short of that,  in detecting the exposed data themselves right away instead of 4 weeks later when an outside "white hat" security firm notified them. 

 

My point is, I wonder if this would have made the news cycles at all if this were not Microsoft? I mean, where was the uproar when Robinhood stored passwords in plaintext?  That is much more egregious, IMO, than what happened with those MS servers. 

 

 

 

 

[securitybreach]

So if only 15% had personal user info....  37,500,000 users are outta luck.
 

[securitybreach]

Well I dont know about home users but for a major corporation, this is a huge deal. Getting IPs and work email addresses is plenty of enough of a threat for companies. Correlating IPs with username@corporation.com could open up said companies for an attack vector. I am thinking about it from a stand point of a major corporation, not a home customer.

[Digerati]

Quote

So if only 15% had personal user info....  37,500,000 users are outta luck.

Out of luck? First, there is no evidence any of the data was accessed or stolen by any unauthorized person. It was a breach, not a hack. 

 

Second, the exposed data did NOT contain real names, street addresses, phone numbers, passwords, account numbers, Social Security numbers, birthdates, driver's license numbers, etc. - data that has been exposed by other breaches, like that Robinhood breach or worse, the Equifax "hack" where the bad guys actually stole the exposed data. 

 

There is a HUGE difference between a "breach" (where sensitive data is exposed - but not necessarily exploited) and a "hack" where bad guys gain unauthorized access and exploit said breach or other vulnerability.  

 

16 minutes ago, securitybreach said:

for a major corporation, this is a huge deal. Getting IPs and work email addresses is plenty of enough of a threat for companies. Correlating IPs with username@corporation.com could open up said companies for an attack vector.

I agree! 100%! Or rather, I would agree if that actually happened. But there is zero evidence any bad guy got anyone's IP and email addresses. By all reports, the good guys discovered the breach, and Microsoft fixed it BEFORE any bad guy had a chance to discover (hack in) and exploit it. 

 

So it could have been bad. But it wasn't.