News

Azure Misconfiguration Exposes 250 Million Microsoft Customer Accounts

Microsoft warned its users this week that their customer support case information may have been exposed at the end of 2019 due to security misconfigurations in an Azure-hosted database.

According to Microsoft's investigation, customer data was left unprotected from Dec. 5, 2019 through Dec. 31, 2019. Most of the personally identifiable information in these customer support records was "redacted" or obscured by "automated tools." However, some customer information, if it was slightly off-format, got exposed. Microsoft's example of such exposed data is a URL that contained extra spaces.

The person credited by Microsoft for discovering the data exposure is Bob Diachenko, who is described in this Comparitech article as being part of the security team at Comparitech, a company that offers reviews of anti-virus software, virtual private networks and online backup services. Diachenko notified Microsoft of the exposure on Dec. 29. The next day, on "Dec. 30 to 31," Microsoft "secured the servers and data," according to the Comparitech's article.

Microsoft didn't describe the extent of the data exposure, but Comparitech's article stated that "250 million Customer Service and Support" records were exposed. The records were from customers around the world and spanned "a 14-year period from 2005 to December 2019," according to Comparitech.

"All of the data was left accessible to anyone with a web browser, with no password or other authentication needed," the Comparitech article explained. The information could have been used to bolster phishing attacks on Microsoft's customers, it added.

For affected customers, Microsoft is sending out an e-mail to their Azure account administrator or subscription administrator, notifying them of the data exposure.

The e-mail notification was described by Aidan Finn, a Microsoft Most Valuable Profession, in this Twitter post. According to Finn's reproduction of Microsoft's e-mail, the type of case support information that got exposed included:

  • The location of the resource
  • Contact information such as e-mail addresses, telephone numbers and IP addresses
  • Technical support descriptions
  • Issue reproduction steps
  • Other information shared with Microsoft support agents

Microsoft claimed that its investigation didn't uncover any "malicious" use of the exposed data. However, it is disclosing the issue now "to be transparent about this incident with all customers and reassure them that we are taking it very seriously and holding ourselves accountable."

Microsoft identified the problem as a misconfiguration of security rules with regard to the database's network security group, which happened on Dec. 5, 2019. "Misconfigurations are unfortunately a common error across the industry," Microsoft's announcement noted.

In response, the company apologized to its customers and promised to audit its internal security rules. It plans to expand mechanisms for detecting misconfigurations, including the addition of alerts. It also plans to improve how its automated redaction solution works.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • IBM Giving Orgs a Governance Lifeline in Agentic AI Era

    Nearly overnight, organizations are facing brand-new challenges caused by self-directed AI systems (a.k.a. agentic AI). Big Blue is extending them some help.

  • Microsoft Launches Integrated E-mail Security Ecosystem for Defender for Office 365

    Microsoft is expanding its e-mail security capabilities with the launch of a new Integrated Cloud Email Security (ICES) ecosystem for Microsoft Defender for Office 365.

  • Microsoft Joins Workday's AI Agent Partner Network

    Microsoft has become a key partner in Workday's newly launched AI Agent Partner Network, aligning with other industry leaders to integrate AI agents into enterprise workforce systems.

  • LinkedIn CEO Ryan Roslansky To Lead Microsoft's Productivity Initiatives

    In a strategic leadership realignment, Microsoft has appointed LinkedIn CEO Ryan Roslansky to oversee its consumer and small business productivity software division, encompassing Microsoft 365, Teams and AI-driven tools like Copilot.