Misconfigured security command exposes 250 million Microsoft customer records
Some of the exposed records date as far back as 2005 and were accessible to anyone with a web browser
Microsoft has revealed a misconfigured security command was the culprit behind a leak of one of Microsoft's internal customer support databases that exposed some 250 million customer records.
"Our investigation has determined that a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data," explained the Microsoft Security Response Center team.
"Upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access. This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services."
Some of the records exposed dated as far back as 2005 and were exposed online over the last two days of 2019, and contained conversation logs between Microsoft support agents and its customers. They were left accessible to anyone with a web browser, with no passwords or authentication needed.
The database was found by threat detection firm BinaryEdge with cyber security consultant Bob Diachenko notifying Microsoft on the 31st.
Diachenko praised Microsoft in a tweet saying: "Kudos to MS Security Response team - I applaud the MS support team for responsiveness and quick turnaround on this despite New Year's Eve."
Microsoft engineers got to work fixing the configuration and restricting the database to prevent unauthorised access. The company stores redacted data in the support case analytics database using automated tools to remove personal information.
Its investigation confirmed that the vast majority of records were cleared of personal information in accordance with its standard practices. In some scenarios, however, the data may have remained unredacted if it met specific conditions. For example, email addresses with separated with spaces instead of the standard format ("XYZ @contoso com" as opposed to "XYZ@contoso.com").
Microsoft said that its investigation had found no "malicious use" but it has begun notifying customer whose data was present in the redacted database.
Digital Risk Report 2020
A global view into the impact of digital transformation on risk and security managementDownload now
6 ways your business could suffer if you don’t backup Office 365
Office 365 makes it easy to lose valuable data regularly, unpredictably, unintentionally, and for goodDownload now
Get the best out of your workforce
7 steps to unleashing their true potential with robotic process automationDownload now
8 digital best practices for IT professionals
Don't leave anything to chance when going digitalDownload now