In a company led investigation into a misconfiguration of internal customer support database for Microsoft support case analytics information, data exposure was revealed. Microsoft in a blog post explained that it has detected no malicious use on the information that was exposed.
The discovery of the exposure was made by the Comparitech security research team led by Bob Diachenko. The team found five Elasticsearch servers which contained an identical set of 250 million records. Upon discovery, he notified Microsoft of the exposed data. Microsoft was swift in taking down the exposed information.
Bob Diachenko found out about the lapse in security on December 28 and alerted Microsoft of the issue on December 29. This led to a fix two days later.
Among the information exposed was some personal information that was not redacted. The affected customers will be contacted by Microsoft to explain about the security incident.
In the blog post, the company was apologetic about the mistake and said, “We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database. As we’ve learned, it is good to periodically review your own configurations and ensure you are taking advantage of all protections available.”