Microsoft Discloses Security Breach in Customer Database

The company says the database storing user analytics and contained over 250 million entries was accidentally exposed last December

 

It is one thing for cyberhackers to make malicious attacks on networks to steal data, but it is quite another to hear that one of the top-3 tech giants of the world actually left their doors unlocked to expose more than 250 million entries on an internal customer support database – something that could have led to embarrassing outcomes.

In a blog post on their official website, Microsoft admitted the security breach between December 5 and December 31, 2019 but said the investigation ruled out any malicious intent or use of the exposed data. The company said that though there was no personally identifiable information in the database, the post was part of Microsoft’s efforts to be transparent about the incident to all customers.

The probe revealed that a change made to the database’s network security group on December 5 contained misconfigured security rules (listed out here) that enabled the exposure, which then was fixed on December 31 to prevent unauthorized access. The company clarified that the issue related to an internal database used for support case analytics and “does not represent an exposure of our commercial cloud services”.

Ann Johnson, Corporate VP of Microsoft’s Cybersecurity Solutions Group and Eric Doerr, General Manager of the Microsoft Security Response Centre claimed that misconfigurations were a common error across the industry but solutions that prevent such errors weren’t enabled for this particular database.

A report published on ZDnet.com says the database exposure was first reported to Microsoft by Bob Diachenko, a security researcher with Security Discovery who said that it comprised a cluster of five servers which appeared to have the same data. The security expert took to his Twitter handle to share information about the breach and how he helped fix it.

On its part, Microsoft also complimented Diachenko for his efforts and said, “we also want to thank the researcher, Bob Diachenko, for working closely with us so that we were able to quickly fix this misconfiguration, investigate the situation, and begin notifying customers as appropriate.”

Looks like the company escaped a major embarrassment and needs to review its security protocols from time to time though on this occasion they may also want to thank cybercriminals who were possibly asleep at work.


TAGS: Microsoft, Database, Bob Diachenko, Security, Data Security