Last Wednesday, January 22, 2020, Microsoft announced its security data breach which occurred in December 2019. The breach spans 14 years’ worth of records. The company’s announcement of a data breach comes right after its Windows 10 vulnerability alert.
On the blog released by the OS maker, Microsoft revealed that an internal customer support database has been left exposed. The database was reportedly exposed from December 5 to 31 without password protection, states ZD Net.
ZD Net notes that the OS maker blamed the incident on the misconfiguration of Azure rules that were used on December 5, 2019.
Security researcher Bob Diachenko spotted the exposed database and immediately reported it to Microsoft. Together with his Comparitech security research team, Diachenko found five Elasticsearch servers. Each of the five servers reportedly contained the same 250 million records.
In a statement, General Manager of Microsoft, Eric Doerr, said, “We’re thankful to Bob Diachenko for working closely with us so that we were able to quickly fix this misconfiguration, analyze data, and notify customers as appropriate.”
The records were found to contain approximately 250 million customer records within the past 14 years – from 2005 to December 2019. Compromised data include email addresses, IP addresses, and details of the support case. In addition to these, geographical locations were also identified and were contained in plain text data.
Apart from the customer service support claims and cases, support agent emails, as well as resolutions, were also out in the open. Comparitech also claimed that documents and notes that were labeled as ‘confidential’ were included in the breach.
According to the report released by Comparitech, email aliases, contact numbers, and payment details were all redacted. This means that there was no personally identifiable information available.
Within 24 hours of reporting the incident to the OS maker, Forbes states that Microsoft was able to secure its servers.
In a statement made on the Microsoft Security Response Center blog post, the OS maker said, “the investigation found no malicious use, and although most customers did not have personally identifiable information exposed, we want to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable.”
Apart from fixing the server, Microsoft has deployed additional security mechanisms to its systems. They will also be “implementing additional redaction automation” and increasing support for security rule misconfigurations.
The company has also started notifying customers affected by the security breach.