Microsoft fixes 'error' that exposed customer database

It conducted an investigation and found no malicious use of the data.

Oscar Gonzalez Former staff reporter
Oscar Gonzalez is a Texas native who covered video games, conspiracy theories, misinformation and cryptocurrency.
Expertise Video Games | Misinformation | Conspiracy Theories | Cryptocurrency | NFTs | Movies | TV | Economy | Stocks
Oscar Gonzalez
2 min read

Microsoft was hit with a security breach in December. 

James Martin/CNET

Microsoft  on Wednesday said it conducted an investigation into a security breach of one of its customer databases and found records could have been exposed for a short period in December.

A misconfiguration in a database's Azure security rules on Dec. 5 enabled exposure to millions of customer support records, according to a blog post from Microsoft on Wednesday. After being alerted of the issue, engineers fixed the problem as of Dec. 31. The company says there was no malicious use of the data but is disclosing the breach to be transparent to its customers. 

"Misconfigurations are unfortunately a common error across the industry," the company said. "We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we've learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available."

Most customer data stored in the databases had personal information redacted, Microsoft said. The company said it'll contact customers whose info may have not been redacted. 

Bob Diachenko, a security researcher with Comparitech, discovered the security lapse on Dec. 28. He alerted Microsoft about the issue on Dec. 29 leading to the fix two days later. 

Following this issue, Microsoft said it's taking the following steps to prevent future occurrences: 

  • Auditing the established network security rules for internal resources. 
  • Expanding the scope of the mechanisms that detect security rule misconfigurations. 
  • Adding additional alerting to service teams when security rule misconfigurations are detected. 
  • Implementing additional redaction automation. 
Watch this: What to do if your personal information is part of a data breach