Azure Misconfiguration Exposes 250 Million Microsoft Customer Accounts

Microsoft warned its users this week that their customer support case information may have been exposed at the end of 2019 due to security misconfigurations in an Azure-hosted database.

According to Microsoft's investigation, customer data was left unprotected from Dec. 5, 2019 through Dec. 31, 2019. Most of the personally identifiable information in these customer support records was "redacted" or obscured by "automated tools." However, some customer information, if it was slightly off-format, got exposed. Microsoft's example of such exposed data is a URL that contained extra spaces.

The person credited by Microsoft for discovering the data exposure is Bob Diachenko, who is described in this Comparitech article as being part of the security team at Comparitech, a company that offers reviews of anti-virus software, virtual private networks and online backup services. Diachenko notified Microsoft of the exposure on Dec. 29. The next day, on "Dec. 30 to 31," Microsoft "secured the servers and data," according to the Comparitech's article.

Microsoft didn't describe the extent of the data exposure, but Comparitech's article stated that "250 million Customer Service and Support" records were exposed. The records were from customers around the world and spanned "a 14-year period from 2005 to December 2019," according to Comparitech.

"All of the data was left accessible to anyone with a web browser, with no password or other authentication needed," the Comparitech article explained. The information could have been used to bolster phishing attacks on Microsoft's customers, it added.

For affected customers, Microsoft is sending out an e-mail to their Azure account administrator or subscription administrator, notifying them of the data exposure.

The e-mail notification was described by Aidan Finn, a Microsoft Most Valuable Profession, in this Twitter post. According to Finn's reproduction of Microsoft's e-mail, the type of case support information that got exposed included:

  • The location of the resource
  • Contact information such as e-mail addresses, telephone numbers and IP addresses
  • Technical support descriptions
  • Issue reproduction steps
  • Other information shared with Microsoft support agents

Microsoft claimed that its investigation didn't uncover any "malicious" use of the exposed data. However, it is disclosing the issue now "to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable."

Microsoft identified the problem as a misconfiguration of security rules with regard to the database's network security group, which happened on Dec. 5, 2019. "Misconfigurations are unfortunately a common error across the industry," Microsoft's announcement noted.

In response, the company apologized to its customers and promised to audit its internal security rules. It plans to expand mechanisms for detecting misconfigurations, including the addition of alerts. It also plans to improve how its automated redaction solution works.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Microsoft Planning Additional Job Cuts in May

    Microsoft's ongoing layoffs are hitting its home turf, with new notices affecting 1,248 people in the Redmond, Bellevue and Issaquah, Wash. areas in May.

  • Microsoft's Loop App Now Available in Preview

    Microsoft's latest collaboration application, Loop, is now available as a public preview.

  • 2023 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Microsoft To Add ISV Designations to MCPP

    Microsoft's top partner executives detailed several changes it plans to make to the 6-month-old Microsoft Cloud Partner Program (MCPP).