Microsoft has disclosed a security breach in one of its customer support databases that took place last year in December. In a blog post, the company said that an internal database that was storing anonymised user analytics was accidentally exposed online between December 5 and December 31, 2019, due to some "misconfigured security rules."
Bob Diachenko, a security researcher with Security Discovery, spotted the database and reported it to Microsoft. The company took cognizance of the matter and restricted the database before the start of the new year.
"Upon notification of the issue, engineers remediated the configuration on December 31, 2019, to restrict the database and prevent unauthorised access," Microsoft said in a statement.
It also said that the issue was specific to an internal database used for support case analytics and does not represent an exposure of their commercial cloud services.
"The leaky customer support database consisted of a cluster of five Elasticsearch servers, a technology used to simplify search operations," Diachenko told ZDNet.
Diachenko said that all five servers stored the same data, appearing to be mirrors of each other. He also reportedly said that Microsoft secured the exposed database on the same day he reported the issue to the OS maker, despite being New Year's Eve.
Servers carried 250 million entries
As per the report, the servers contained roughly 250 million entries, with information such as email addresses, IP addresses, and support case details. According to Microsoft, most of the records were cleared of personal information in accordance with their standard practices.
"As part of Microsoft's standard operating procedures, data stored in the support case analytics database is redacted using automated tools to remove personal information," Microsoft said.
However, since the process is automated, the company admits that in some cases, the data may have remained unreacted if it met specific conditions such as when users filed customer support requests in non-standard format— such as an email address separated with spaces instead of written in a standard format.
Even for such specific cases, Microsoft said that it did not find any malicious use of the data. However, it said that it has started notifying the impacted customers for the sake of transparency.