Almost a month after Microsoft secured a database which exposed personal data on 250 million people for roughly a month, the company has explained exactly what happened and what it did to remedy the issue.
According to the Microsoft Security Response Centre team, the problem lied in a misconfigured security command, which exposed internal customer support databases to the general public.
"Our investigation has determined that a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data," it explained.
"Upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access. This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services."
The user records, some of which were almost 15 years old, contained, among other things, conversation logs of discussions between Microsoft customers and customer support employees. Anyone who knew where to look could have found them, without needing any type of authentication to access the data.
The leak was first discovered by security consultant Bob Diachenko, together with cybersecurity firm BinaryEdge, who notified Microsoft late in December last year.
Microsoft seems to have responded instantly, as Diachenko showered it with praise. He took to Twitter and said: "Kudos to MS Security Response team - I applaud the MS support team for responsiveness and quick turnaround on this despite New Year's Eve."
Microsoft said the database wasn’t used maliciously, but notified the afflicted customers nonetheless.