Misconfigured security command exposes 250 million Microsoft customer records

Some of the exposed records date as far back as 2005 and were accessible to anyone with a web browser

Microsoft has revealed a misconfigured security command was the culprit behind a leak of one of Microsoft's internal customer support databases that exposed some 250 million customer records.

"Our investigation has determined that a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data," explained the Microsoft Security Response Center team. 

"Upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access. This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services." 

Some of the records exposed dated as far back as 2005 and were exposed online over the last two days of 2019, and contained conversation logs between Microsoft support agents and its customers. They were left accessible to anyone with a web browser, with no passwords or authentication needed. 

The database was found by threat detection firm BinaryEdge with cyber security consultant Bob Diachenko notifying Microsoft on the 31st. 

Diachenko praised Microsoft in a tweet saying: "Kudos to MS Security Response team - I applaud the MS support team for responsiveness and quick turnaround on this despite New Year's Eve."

Microsoft engineers got to work fixing the configuration and restricting the database to prevent unauthorised access. The company stores redacted data in the support case analytics database using automated tools to remove personal information. 

Its investigation confirmed that the vast majority of records were cleared of personal information in accordance with its standard practices. In some scenarios, however, the data may have remained unredacted if it met specific conditions. For example, email addresses with separated with spaces instead of the standard format ("XYZ @contoso com" as opposed to "XYZ@contoso.com"). 

Microsoft said that its investigation had found no "malicious use" but it has begun notifying customer whose data was present in the redacted database. 

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Most Popular

Citrix buys Slack competitor Wrike in record $2.25bn deal
collaboration

Citrix buys Slack competitor Wrike in record $2.25bn deal

19 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
SolarWinds hackers hit Malwarebytes through Microsoft exploit
hacking

SolarWinds hackers hit Malwarebytes through Microsoft exploit

20 Jan 2021