Misconfigured security command exposes 250 million Microsoft customer records

microsoft sign

Microsoft has revealed a misconfigured security command was the culprit behind a leak of one of Microsoft's internal customer support databases that exposed some 250 million customer records.

"Our investigation has determined that a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data," explained the Microsoft Security Response Center team.

"Upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access. This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services."

Some of the records exposed dated as far back as 2005 and were exposed online over the last two days of 2019, and contained conversation logs between Microsoft support agents and its customers. They were left accessible to anyone with a web browser, with no passwords or authentication needed.

The database was found by threat detection firm BinaryEdge with cyber security consultant Bob Diachenko notifying Microsoft on the 31st.

AWS plugs leaky S3 buckets with CloudKnox integration Everybody suffers data leakage, study finds Microsoft, not Amazon, is going to win the cloud wars What is cloud security?

Diachenko praised Microsoft in a tweet saying: "Kudos to MS Security Response team - I applaud the MS support team for responsiveness and quick turnaround on this despite New Year's Eve."

Microsoft engineers got to work fixing the configuration and restricting the database to prevent unauthorised access. The company stores redacted data in the support case analytics database using automated tools to remove personal information.

Its investigation confirmed that the vast majority of records were cleared of personal information in accordance with its standard practices. In some scenarios, however, the data may have remained unredacted if it met specific conditions. For example, email addresses with separated with spaces instead of the standard format ("XYZ @contoso com" as opposed to "XYZ@contoso.com").

Microsoft said that its investigation had found no "malicious use" but it has begun notifying customer whose data was present in the redacted database.

Bobby Hellard is IT Pro's reviews editor and has worked on Cloud Pro and Channel Pro since 2018.

In his time at IT Pro, Bobby has covered stories for all the major technology companies, such as Apple, Microsoft, Amazon and Facebook, and regularly attends industry-leading events such as AWS Re:Invent and Google Cloud Next.

Bobby mainly covers hardware reviews, but you will also recognise him as the face of many of our video reviews of laptops and smartphones.

He has been a journalist for ten years, originally covering sports, before moving into business technology with IT Pro. He has bylines in The Independent, Vice and The Business Briefing.

Contact him at bobby.hellard@futurenet.com or find him on Twitter: @bobbyhellard