microsoft carbon

Microsoft discloses security breach affecting 250 million customer records

Image credit: Dreamstime

Microsoft has shared some details of a recent security breach, which involved the complete exposure of 250 million customer records.

The breach affected an internal customer support database, mostly consisting of user analytics. According to ZDNet, which spoke to Diachenko, the affected database consisted of a cluster of five Elasticsearch (search engine) servers, all of which stored the same set of records.

The database – which was entirely unsecured and accessible to anyone with a browser who knew where to look – contained 250 million records of customer service and support log conversations spanning a period of 14 years.

Although most of the data was anonymised, some personal information - specifically information saved in non-standard formats - was left exposed. This included email addresses, locations, IP addresses and details of the customer issues.

According to Microsoft, the breach occurred due to misconfigurations in the Azure security rules deployed on December 5 2019.

The databases were discovered by BinaryEdge (which searches the internet to build threat intelligence tools) and Comparitech security researcher Bob Diachenko, who notified Microsoft.

The records were exposed for almost four weeks, with the issue fixed on New Year’s Eve. Diachenko acknowledged that Microsoft’s response had been prompt, despite it being the holiday season, commenting on Twitter: “Kudos to MS Security Response team – I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve.”

Microsoft found no abuse of the exposed data and said that the vast majority of customer records were cleared of personal information. Customers whose personal data data were exposed are being notified.

In a blog post, Microsoft said that it would take several actions to reduce the risk of a similar breach occurring, including by auditing its network security rules for internal resources and expanding the scope of the tools used to detect misconfigurations of the sort which exposed these data.

“Misconfigurations are unfortunately a common error across the industry,” the blog post said. “We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available.”

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles