IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Misconfigured security command exposes 250 million Microsoft customer records

Some of the exposed records date as far back as 2005 and were accessible to anyone with a web browser

Microsoft has revealed a misconfigured security command was the culprit behind a leak of one of Microsoft's internal customer support databases that exposed some 250 million customer records.

"Our investigation has determined that a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data," explained the Microsoft Security Response Center team. 

"Upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access. This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services." 

Some of the records exposed dated as far back as 2005 and were exposed online over the last two days of 2019, and contained conversation logs between Microsoft support agents and its customers. They were left accessible to anyone with a web browser, with no passwords or authentication needed. 

The database was found by threat detection firm BinaryEdge with cyber security consultant Bob Diachenko notifying Microsoft on the 31st. 

Diachenko praised Microsoft in a tweet saying: "Kudos to MS Security Response team - I applaud the MS support team for responsiveness and quick turnaround on this despite New Year's Eve."

Microsoft engineers got to work fixing the configuration and restricting the database to prevent unauthorised access. The company stores redacted data in the support case analytics database using automated tools to remove personal information. 

Its investigation confirmed that the vast majority of records were cleared of personal information in accordance with its standard practices. In some scenarios, however, the data may have remained unredacted if it met specific conditions. For example, email addresses with separated with spaces instead of the standard format ("XYZ @contoso com" as opposed to "XYZ@contoso.com"). 

Microsoft said that its investigation had found no "malicious use" but it has begun notifying customer whose data was present in the redacted database. 

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022
Microsoft to double salary budget to retain workers
Careers & training

Microsoft to double salary budget to retain workers

17 May 2022