Microsoft disclosed today a security breach that took place last month in December 2019.
In a blog post today, the OS maker said that an internal customer support database that was storing anonymized user analytics was accidentally exposed online without proper protections between Dec.r 5 and Dec. 31.
The database was spotted and reported to Microsoft by Bob Diachenko, a security researcher with Security Discovery.
The leaky customer support database consisted of a cluster of five Elasticsearch servers, a technology used to simplify search operations, Diachenko told ZDNet today. All five servers stored the same data, appearing to be mirrors of each other.
Diachenko said Microsoft secured the exposed database on the same day he reported the issue to the OS maker, despite being New Year's Eve.
"I have been in touch with the Microsoft team helping and supporting them to properly investigate it," Diachenko told ZDNet.
Kudos to MS Security Response team - I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve. https://t.co/PPLRx9X0h4
— Bob Diachenko (@MayhemDayOne) January 22, 2020
The servers contained roughly 250 million entries, with information such as email addresses, IP addresses, and support case details. Microsoft said that most of the records didn't contain any personal user information.
"As part of Microsoft's standard operating procedures, data stored in the support case analytics database is redacted using automated tools to remove personal information," Microsoft said.
However, in cases where users filed customer support requests using non-standard formatted data such as ("name surname @ email domain com" instead of "name.surname@email.com") the data was not detected and redacted, and remained in the exposed database.
For these cases, Microsoft said it began notifying impacted customers today, although it also added that it "found no malicious use" of the data.
Microsoft blamed the accidental server exposure on misconfigured Azure security rules it deployed on Dec. 5, which it now fixed. Following the leak, Microsoft says it is now:
- Auditing the established network security rules for internal resources.
- Expanding the scope of the mechanisms that detect security rule misconfigurations.
- Adding additional alerting to service teams when security rule misconfigurations are detected.
- Implementing additional redaction automation.