Microsoft has announced in a blog post that a database containing 250 million service records was left exposed due to a configuration error.
According to security firm Comparitech, a “security research team led by Bob Diachenko uncovered five Elasticsearch servers, each of which contained an apparently identical set of the 250 million records. Diachenko immediately notified Microsoft upon discovering the exposed data, and Microsoft took swift action to secure it.”
Diachenko is a well-known cybersecurity professional Comparitech collaborates with. Diachenko praised Microsoft’s quick response to his findings.
“I immediately reported this to Microsoft and within 24 hours all servers were secured. I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve.”
Microsoft’s own investigation continued, leading to the blog post today detailing what went wrong.
“Our investigation has determined that a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data.”
The company said that the vast majority of data had already been cleared of any identifiable personal information, although there was some data meeting specific criteria that may not have been redacted.
“As part of Microsoft’s standard operating procedures, data stored in the support case analytics database is redacted using automated tools to remove personal information. Our investigation confirmed that the vast majority of records were cleared of personal information in accordance with our standard practices. In some scenarios, the data may have remained unredacted if it met specific conditions.”
Most importantly, the company says it has found no evidence of any malicious use of the exposed database.