Misconfigured security command exposes 250 million Microsoft customer records

Some of the exposed records date as far back as 2005 and were accessible to anyone with a web browser

Microsoft has revealed a misconfigured security command was the culprit behind a leak of one of Microsoft's internal customer support databases that exposed some 250 million customer records.

"Our investigation has determined that a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data," explained the Microsoft Security Response Center team. 

Advertisement - Article continues below

"Upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access. This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services." 

Some of the records exposed dated as far back as 2005 and were exposed online over the last two days of 2019, and contained conversation logs between Microsoft support agents and its customers. They were left accessible to anyone with a web browser, with no passwords or authentication needed. 

The database was found by threat detection firm BinaryEdge with cyber security consultant Bob Diachenko notifying Microsoft on the 31st. 

Diachenko praised Microsoft in a tweet saying: "Kudos to MS Security Response team - I applaud the MS support team for responsiveness and quick turnaround on this despite New Year's Eve."

Advertisement
Advertisement - Article continues below

Microsoft engineers got to work fixing the configuration and restricting the database to prevent unauthorised access. The company stores redacted data in the support case analytics database using automated tools to remove personal information. 

Advertisement - Article continues below

Its investigation confirmed that the vast majority of records were cleared of personal information in accordance with its standard practices. In some scenarios, however, the data may have remained unredacted if it met specific conditions. For example, email addresses with separated with spaces instead of the standard format ("XYZ @contoso com" as opposed to "XYZ@contoso.com"). 

Microsoft said that its investigation had found no "malicious use" but it has begun notifying customer whose data was present in the redacted database. 

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How do you build a great customer experience?
Sponsored

How do you build a great customer experience?

20 Jul 2020
Labour Party donors caught up in Blackbaud data breach
data breaches

Labour Party donors caught up in Blackbaud data breach

31 Jul 2020