Microsoft has revealed that a long spanning data breach, affecting information dating as far back as 14 years, has exposed the data of 250 million users.
According to a blog post from the Microsoft Security Response Center, they finished an investigation on January 22nd, regarding access misconfiguration for the customer support database. In the blog post, Microsoft states that, “Our investigation has determined that a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data. Upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access.”
Microsoft claims that the majority of personal information was scrubbed from the database before storing them, using an automatic tool. Indeed, the investigation yielded that most of the information was cleared. However, each data set that was exposed included IP addresses and emails stored in plain-text, as well as locations and internal notes such as case numbers and remarks.
The issue was mitigated by Microsoft, and Microsoft will continue to take future preventative actions. Some of these actions include auditing the security rules for internal resources, putting in additional measure to ensure a more thorough scrubbing process, and introducing an internal alert system to help both monitoring and proactive mitigation.