covering the week stop textin slight
linux bias a security shocker out of
Microsoft as it has been revealed that
250 million customer records have been
exposed online this is a facepalm we
really don't intend for the news to be
all about Microsoft but this week has
been a doozy there's the Internet
Explorer zero day vulnerability that's
being actively exploited yet Microsoft
has hasn't issued a patch for that
revelation came just days after the US
government issued a critical alert to
Windows users concerning the
extraordinarily serious a curveball
crypto vulnerability and now this 250
million Microsoft customer records
spanning an incredible 14 years in all
have been exposed online in a database
with no password protection the data was
accessible to anyone with a web browser
who stumbled across the databases
according to the report issued by the
security researcher team at compare
attack no authentication at all was
required to access them the nature of
the data appears to be that much that
much of the personally identifiable
information that was redacted however
the researchers say that many contain
plain text data including customer email
addresses IP addresses geographical
locations descriptions of the customer
service and support claims cases
Microsoft support agent emails case
numbers and resolutions and internal
notes that had been marked as
confidential hmm while this may seem
like no big deal considering the number
of breaches many of which affecting even
more users the thing to consider here is
that Microsoft support scams are already
rampant and it doesn't take a genius to
work out how valuable actual customer
information could be to the fraudsters
carrying out such attacks and it puts
users at a severe disadvantage and risk
of being exploited by someone pretending
to
the very company they trust Microsoft
Security Response Center posted a
response dated January 22nd 2020 in that
post they confirmed that the exposure of
the database started on December 5th
2019 as a result of misconfigured
security rules and was fixed on December
31st it's not known at this point if the
databases were accessed but it seems
very very likely since whitehat security
researchers picked up on the issue and
even replicated its data to their own
servers it's very likely bad actors also
got their hands on it based yet another
yeah yeah just another what is going on
at Microsoft all like what do you say
it's like yeah it's that's a
disheartening story so I guess what it
comes down to is the only thing we can
say I mean sure you're face palming I'm
disgusted you as as potential victims
need to understand that you just need to
be very very conscious that this has
happened you have to be very conscious
that phishing scams and now spear
phishing scams exist so these are now
they have your information you have a
Microsoft account right you've contacted
their support or activated software so
now somebody can call you and say I'm
calling from Microsoft and I've got your
case number here and blah blah blah and
I've got enough evidence on this piece
of paper to be able to prove to you that
I am who I say I am right just like the
last time we spoke when we offered you
this and this yes remember that yeah I
remember the time that you call just a
couple of weeks ago and we talked about
this and that oh yeah yeah okay well we
just found out that there's another
exploit and so I need to remote into
your computer to fix that for you
exactly so all of a sudden there's this
okay wait wait wait wait wait wait hold
up
so here's what you need to do hang up
the phone
yes okay Microsoft does not phone its
users Microsoft will not offer you
support that's not the industry that
they are in that's right that's not how
they work and so just understand that
and maybe if you just at least at least
make yourself critical enough to be able
to say Microsoft does not offer this
service if you can just say that to
yourself then maybe that's enough to
protect you so that when that call comes
in or when that email comes in that you
just don't click it last week we learned
as well last week we learned that a new
form of cookie attack is allowing
hackers to compromise PayPal accounts
just by you clicking on a link that
takes you to a site that creates the
session and then you can close that and
come back to it two weeks later and
login to the legitimate PayPal comm
website and boom they've got your
information so we know that if you just
fall for it enough to click the link
they could have put something on your
computer that's enough to get you next
time so even if you don't fall for it
this time maybe you click the link and
you don't give them your information but
you clicked the link don't click the
link right stop yourself at that point
and realize Microsoft doesn't offer this
service I am NOT gonna click a link in
an email that says log into my Microsoft
account or any Microsoft service so
understand that's office 365 that's
exchange that's that's your like your
what is it Microsoft online even Xbox
whatever Xbox 360 online or whatever all
that stuff yeah all that stuff Microsoft
online account for for your minecraft
and like all these things you're
compromised yep so don't trust anything
that comes in now period yes and that's
that's a blanket statement don't trust
anything now you have to decide you have
to go to your bank website and log in
correctly
you don't ever don't ever click a link
that takes you there and never don't
Google it don't search it in Bing don't
don't type it in the search
don't type your bank's name in the
search and click the first link on the
results no you type in your people do
that
yeah and those same people