Skip to main content

Digital Trends may earn a commission when you buy through links on our site. Why trust us?

Microsoft reveals a security breach of an internal customer support database

Microsoft announced today that an internal customer support database experienced a security breach in December 2019.

Recommended Videos

The technology company’s announcement came via a blog post published on Wednesday, January 22 on the Microsoft Security Response Center blog. According to the post, the breach occurred on December 5, 2019 and involved the “misconfiguration of an internal customer support database used for Microsoft support case analytics.” Essentially, the breach occurred when a change was made to the database’s network security group. This change carried with it “misconfigured security rules” which then caused the exposure of customer data. And according to ZDNet, the servers affected by the breach “contained roughly 250 million entries, with information such as email addresses, IP addresses, and support case details.”

Please enable Javascript to view this content

This misconfiguration came to Microsoft’s attention on December 31, 2019 and was fixed that day as well. Microsoft was alerted to the breach by security researcher Bob Diachenko of Security Discovery.

According to Microsoft’s blog post, the security breach only involved “an internal database used for support case analytics” and Microsoft maintains that the breach didn’t involve an exposure of its commercial cloud services. In addition, Microsoft’s investigation into the matter found that there was “no malicious use” and that, for the most part, its customers “did not have personally identifiable information exposed.” But there is a caveat. While most customers may be unaffected by the breach because of company practices requiring the redaction of personal information via automated tools, the technology company did say that some customer data may have been exposed in the breach due to the following exception:

“In some scenarios, the data may have remained unredacted if it met specific conditions. An example of this occurs if the information is in a non-standard format, such as an email address separated with spaces instead of written in a standard format (for example, ‘XYZ @contoso com’ vs ‘XYZ@contoso.com’).”

Microsoft has said that for these special cases, it has started to notify the customers whose data may have been exposed in the breach. The software and technology company also said that it is planning on implementing the following practices to help prevent such a breach in the future:

  • Auditing the established network security rules for internal resources.
  • Expanding the scope of the mechanisms that detect security rule misconfigurations.
  • Adding additional alerting to service teams when security rule misconfigurations are detected.
  • Implementing additional redaction automation.
Anita George
Anita George has been writing for Digital Trends' Computing section since 2018. So for almost six years, Anita has written…
Microsoft Edge just got a new way to protect your privacy
Microsoft Edge Secure Network graphic.

Microsoft Edge just got even more secure. After a tease a few weeks ago, Microsoft has just officially announced the availability of Edge Secure Network, the new built-in VPN feature for the Microsoft Edge browser.

Though still in an experimental stage with a small audience using the Canary version of the browser, Microsoft hopes this feature can provide extra peace of mind when using Edge on unsecured networks. As with most other VPN services, this built-in Secure Network can mask your device's IP address, encrypt your data, and route it through a secure network that's geographically co-located.  This will make it harder for hackers and others with bad intent to see your true location. The company that provides your internet also won't be able to collect your browsing data for ads.

Read more
Microsoft reveals new secret weapon against cybercrime
Window's new Microsoft Security Experts program works to protect users from cybercrime using.

Microsoft announced a new cybersecurity-based initiative that will allow small businesses and huge enterprises alike to tap into the tech giant’s in-house security services and personnel.

Named Microsoft Security Experts, the program will offer security services in the form of three distinct platforms.

Read more
Cash App breach impacts millions of U.S. customers
Cash App for mobile payments.

Block, formerly Square, has revealed a security breach impacting up to 8.2 million current and former users of Cash App, its mobile payment and investment service.

The San Francisco-based company said in a recent filing with the U.S. Securities and Exchange Commission that the breach was an inside job allegedly carried out by a former employee.

Read more