Microsoft confirmed it suffered a database error that reportedly left about 250 million customer service and support records exposed to anyone with a web browser.
“Our investigation has determined that a change made to the database’s network security group on December 5 2019 contained misconfigured security rules that enabled exposure of the data,” said Microsoft.
“Upon notification of the issue, engineers remediated the configuration on December 31 2019 to restrict the database and prevent unauthorized access.”
The issue was discovered by a Comparitech research team led by Bob Diachenko on 29 December.
Diachenko said that most personally-identifiable information was redacted from the exposed records, but many records contained plain text data including customer email addresses, IP addresses, locations, case numbers, and internal notes marked as confidential.
“I immediately reported this to Microsoft and within 24 hours all servers were secured,” Diachenko said.
“I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve.”
Microsoft highlighted that the issue was specific to an internal database used for support case analytics and does not represent an exposure of its commercial cloud services.
It also did not find any evidence that this exposed data was used maliciously.
“We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence,” said Microsoft