News

Azure Misconfiguration Exposes 250 Million Microsoft Customer Accounts

• By Kurt Mackie
• January 22, 2020

Microsoft warned its users this week that their customer support case information may have been exposed at the end of 2019 due to security misconfigurations in an Azure-hosted database.

According to Microsoft's investigation, customer data was left unprotected from Dec. 5, 2019 through Dec. 31, 2019. Most of the personally identifiable information in these customer support records was "redacted" or obscured by "automated tools." However, some customer information, if it was slightly off-format, got exposed. Microsoft's example of such exposed data is a URL that contained extra spaces.

The person credited by Microsoft for discovering the data exposure is Bob Diachenko, who is described in this Comparitech article as being part of the security team at Comparitech, a company that offers reviews of anti-virus software, virtual private networks and online backup services. Diachenko notified Microsoft of the exposure on Dec. 29. The next day, on "Dec. 30 to 31," Microsoft "secured the servers and data," according to the Comparitech's article.

Microsoft didn't describe the extent of the data exposure, but Comparitech's article stated that "250 million Customer Service and Support" records were exposed. The records were from customers around the world and spanned "a 14-year period from 2005 to December 2019," according to Comparitech.

"All of the data was left accessible to anyone with a web browser, with no password or other authentication needed," the Comparitech article explained. The information could have been used to bolster phishing attacks on Microsoft's customers, it added.

For affected customers, Microsoft is sending out an e-mail to their Azure account administrator or subscription administrator, notifying them of the data exposure.

The e-mail notification was described by Aidan Finn, a Microsoft Most Valuable Profession, in this Twitter post. According to Finn's reproduction of Microsoft's e-mail, the type of case support information that got exposed included:

• The location of the resource
• Contact information such as e-mail addresses, telephone numbers and IP addresses
• Technical support descriptions
• Issue reproduction steps
• Other information shared with Microsoft support agents

Microsoft claimed that its investigation didn't uncover any "malicious" use of the exposed data. However, it is disclosing the issue now "to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable."

Microsoft identified the problem as a misconfiguration of security rules with regard to the database's network security group, which happened on Dec. 5, 2019. "Misconfigurations are unfortunately a common error across the industry," Microsoft's announcement noted.

In response, the company apologized to its customers and promised to audit its internal security rules. It plans to expand mechanisms for detecting misconfigurations, including the addition of alerts. It also plans to improve how its automated redaction solution works.