Comparitech Discover 250 Million Microsoft Records Left Exposed Online
The Verizon 2019 Data Breach Incident Report (DBIR) in May found that misconfiguration of cloud-based file storage accounted for a fifth (21 percent) of data exposures in the previous 12 months that were caused by errors. In all, cloud storage mishaps exposed a whopping 60 million records in the DBIR dataset.
Comparitech discover 250 million Microsoft records left exposed online
February 11, 2020: An unsecured database belonging to the makeup company Estee Lauder exposed 440 million customer records. No payment or sensitive information was impacted but email addresses, IP addresses, ports, pathways and storage information were disclosed in the database.
February 20, 2020: Over 10.6 million hotel guests who have stayed at the MGM Resorts have had their personal information posted on a hacking forum. The data dump exposed includes names, home addresses, phone numbers, emails, and dates of birth of former hotel guests. Updated July, 15 2020: Researchers found 142 million personal records from former guests at the MGM Resorts hotels for sale on the Dark Web, hinting that the original breach was larger than previously announced.
March 11, 2020: Whisper, an anonymous secret-sharing app, has left member information exposed in an unsecured database. Although the app does not collect names, the database included nicknames, ages, ethnicities, genders and location data of over 900 million users.
April 6, 2020: A digital wallet app, Key Ring, left stored customer data of 14 million users accessible in an unsecured database. The app allows its users to easily upload and store scans and photos of membership and loyalty cards to a digital folder in their mobile device. The exposed data includes names, full credit card details (including CVV numbers), email address, birth date, address, membership ID numbers, retail club and loyalty card memberships, government IDs, gift cards, medical insurance cards, medical marijuana IDs, IP address and encrypted passwords.
April 14, 2020: A collection of 4 million login records belonging to the online marketplace Quidd was breached through a hack then posted on the dark web forum for free. Once accessible, the usernames, email addresses and hashed account passwords were shared among members of the forum.
April 22, 2020: A card payments processor startup, Paay, left a database containing 2.5 million card transaction records accessible online without a password. The exposed payment transaction belonging to 15 to 20 merchants includes full plaintext credit card number, expiry date and the amount spent.
July 28, 2020: The online alcohol delivery startup Drizly disclosed to its customers that a hacker accessed the account details of 2.5 million Drizly accounts. The customer information exposed included email addresses, date-of-birth and hashed passwords.
August 20, 2020: Researchers at Comparitech uncovered an unsecured database with 235 million Instagram, TikTok, and YouTube user profiles exposed online belonging to the defunct social media data broker, Deep Social. The scraped profile information in the data leak includes names, ages, genders, profile photos, account descriptions, statistics about follower engagement and demographic such as number of likes, followers, follower growth rate, engagement rate, audience demographic (gender, age and location) and whether the profile belongs to a business or has advertisements.
September 24, 2020: A researcher at Comparitech discovered an unsecured online database containing records of 600,000 gym members of the fitness chain, Town Sports International. The database exposed customer names, postal addresses, email addresses, phone numbers, check-in data, gym location, notes on customer accounts, last four digits of credit card, credit card expiration date and billing history.
October 20, 2020: Security researchers at Comparitech discovered an unsecured database containing the records of more than 350 million customers along with call transcripts belonging to the cloud-based communication company, Broadvoice. The exposed Elasticsearch database enclosed personal details such as caller names, caller identification number, phone number and location along with voicemail transcripts.
November 11, 2020: Animal Jam, a popular online game for kids, was hacked and 46 million account records were compromised in a data breach. The databases belonging to WildWorks, the company behind Animal Jam, were posted to an online hacking forum on the dark web. The data included information related to children and parent accounts, including usernames, emails, passwords, birth dates and billing addresses connected to PayPal accounts.
Microsoft disclosed a security breach that took place last month in December 2019. The company disclosed a database error that temporarily left approximately 250 million customer service and support records that was effectively visible from the cloud to the world.
A server left exposed to the public internet with no cyber security protections in place will be discovered and suffer repeated cyber attacks by malicious actors within about eight hours, according to an experiment conducted by Bob Diachenko, a security researcher at Comparitech.
In January it was reported that Microsoft left nearly 250 million customer service and support records exposed on the web. These records contained logs of conversations between Microsoft support and customers going back to 2005. The data was available to anyone on the web, unsecured with passwords or any other authentication requirements.
In July, alcohol delivery company Drizly suffered a massive data breach that exposed data of more than 2.5 million customer accounts. The customer data included emails, birth dates, passwords, physical addresses, phone numbers and IP addresses. The breach was discovered when TechCrunch found a dark web marketplace that purported to have Drizly customer credit card information for sale. Drizly has stated that no payment information was compromised but confirmed the exposure of other customer data.
Microsoft didn't get into details such as the number of records exposed, the type of database that was left unprotected, or the type of personal information that was left in the open, only that data in the support case analytics database was "redacted using automated tools to remove personal information."
However, Security Discovery's Cyber Threat Intelligence Director Bob Diachenko, the researcher who reported the exposed data to Microsoft was able to tell BleepingComputer that the 250 million customer support and service records were stored on five identical ElasticSearch clusters.
A popular website for helping students and children learn mathematics suffered from a data breach, resulting in more than 25 million records being exposed. The breach was only discovered when the records were being sold on the dark web earlier in May. So far, it is believed that only emails and hashed passwords were exposed.
Russian delivery company, CDEC Express, suffered a major breach when it was discovered that the records of 9 million customers were for sale on the dark web. CDEC Express has denied that they were the ones who were breached, stating that personal data is collected many companies and that they were not the source. Information such as the delivery of goods, buyer information, and tax ID numbers were all breached.
Clinical laboratory LabCorp suffered an earlier breach in July 2019 when 7.7 million records were stolen. Unfortunately, the security upgrades they must have made were not enough to prevent another breach at the end of January 2020. At least 10,000 patient records were exposed including names, addresses, and in some cases, social security numbers.
Microsoft didn't have a great start to 2020. 250 million customer service and support records, going all the way back to 2005, were breached. Microsoft has said that only email addresses and IP addresses were exposed, but security researchers believe that it goes beyond that.
Security expert Bob Diachenko discovered that a database containing personal information of more than 267 million Facebook users had been left exposed. The exposed data included names, phone numbers, and Facebook IDs. Hackers in Vietnam are believed to be responsible.
An unprotected server containing 1.2 billion records of personal data was found by security researchers. Renowned security experts Vinny Troia and Bob Diachenko found the Elasticsearch server and soon concluded that the data had been sourced by a data enrichment company. This would explain the breath-taking size of the breach, which exposed 622 million unique email address, as well as social media profiles, phone numbers, employers and even job titles.
Renowned cyber security experts Krebs on Security reported that Fortune 500 giant First American Financial Corp exposed customers' bank account numbers, statements, mortgage as well as tax records through its faulty website. 885 million highly sensitive records were leaked to anyone who knew where to look, with the records going back to 2003.
An unsecured database seemingly belonging to Chtrbox, a Mumbai-based social media marketing firm, was discovered online. TechCrunch reports that the database contained more than 49 million records comprising bio info, email address, phone number, and profile picture of millions of Instagram users.
The VPN Mentor research team discovered a data breach which exposed the personal information of 1.5 million Freedom Mobile users. Worryingly, the data included credit card numbers and CVV numbers, meaning that significant financial damage will likely be incurred as a result.
One of the most significant data breaches ever occurred on March 1st, when more than 2 million identity records including government officials and politicians was leaked online. According to reports from Zdnet, the information was stored, alarmingly, on a publicly accessible database.