Microsoft shuts site--IDs exposed

Microsoft closes a site hosted by Softbank Services after discovering that it was revealing private information for 108,000 customers.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
2 min read
Microsoft yesterday shut down a site hosted by Softbank Services after discovering that it was revealing private identification and contact information for 108,000 Microsoft customers.

Softbank's site let users of Microsoft's Money financial management software upgrade to Money 99 from previous versions of Money. Microsoft had Softbank Services pull the site yesterday after learning of the security breach from CNET News.com.

Users trying to access the downed site first received an HTTP error page. Now the site reads: "We are sorry, but our site is temporarily out of service. If you would like to place an order for Money 99 or the Financial Suite please call 1-800-598-2068. M-F 8 a.m.-10 p.m. ET."

Microsoft on Thursday sent out a mass email inviting Money users to order the software upgrade either online or through a toll-free call. The email included a unique reservation number nine digits long.

Once at the Softbank Services-hosted upgrade site, users could enter that number to order the upgrade. However, if they altered one or more of its digits, they were likely to call up the account of another customer.

While the resulting Web page did not display users' personal information outright, the pages contained names, phone numbers, email addresses, and postal addresses in a series of hidden fields. Those hidden fields could be viewed easily in the document or page source.

News.com was notified of the problem yesterday by Gregor Freund of Bay Area security software firm Slant.

"You could write a ten-line script and download all that information and use it for whatever purpose," Freund said. "These are very targeted addresses."

It was not clear today whether other Microsoft customer databases hosted by Softbank--or Softbank's other clients--were similarly exposed.

A Microsoft spokesperson suggested that it was probably an isolated incident. "We have used the service many, many times in many different ways, and this was the first time that this sort of thing has come to our attention," the spokesperson said.

Softbank could have secured the site by asking for another piece of information, such as the customer's zip code, which would have made it harder to access the accounts by randomly guessing at reservation numbers.

Softbank could not be reached for comment.