Published: Thu, January 23, 2020
Electronics | By Kelly Massey

Microsoft exposed 250 million customer records

Microsoft exposed 250 million customer records

"I applaud the MS support team for responsiveness and quick turnaround on this despite New Year's Eve".

Diachenko reported the leak to Microsoft on the same day he discovered it, and the software giant patched the problem in two days.

Microsoft disclosed today a security breach that took place last month in December 2019.

According to Comparitech and its security team led by Diachenko, the misconfiguration affected five servers, each of which contained an identical set of 250 million records. One good thing is that personally identifiable information was redacted in the leaked data.

Microsoft blamed the accidental server exposure on misconfigured Azure security rules it deployed on December 5, which it now fixed.

Microsoft points out that the "vast majority of records were cleared of personal information", the result of using automated tools to redact certain info.

Bob Diachenko, a security researcher with Security Discovery, found the improperly configured database and notified Microsoft.

Microsoft highlighted that the issue was specific to an internal database used for support case analytics and does not represent an exposure of its commercial cloud services.

Former Mississippi State WR De'Runnya Wilson Shot & Killed At Age 25
A native of Birmingham, Wilson started playing football as a senior in high school after primarily playing basketball. Mississippi State said in a statement Tuesday, "Tonight, we mourn the loss of former Bulldog De'Runnya Wilson".


"If scammers obtained the data before it was secured, they could exploit it by impersonating a real Microsoft employee and referring to a real case number". However, a subset contained plain-text data including email addresses, IP addresses, case descriptions, emails from Microsoft support, case numbers and "internal notes marked as confidential".

For its part, Microsoft attributed the breach to an "access misconfiguration" and that it "found no malicious use" of the data.

We assume that if you don't hear from Microsoft, even if you did contact support during the 2005 to 2019 period, then either your data wasn't in the exposed database, or there wasn't actually enough in the leaked database to allow anyone, including Microsoft itself, to identify you.

For Microsoft, this is its second major data security incident tied to its customer support system in a single year.

The data was exposed after it was indexed by search engine BinaryEdge.

"We want to sincerely apologize and reassure our customers that we are taking it seriously and working diligently to learn and take action to prevent any future reoccurrence", Microsoft said.

The root of leak occurred on December 5, when the company accidentally misconfigured the security rules around the servers, which were focused on "support case analytics". In addition, it will also add more alerts for rule misconfigurations and implement more redaction automation.

Like this: