A Microsoft data breach left a customer database exposed online last month, with 250 million entries involved. Microsoft revealed that the database, which stored anonymised user analytics, was left without protection between 5th December and 31st December.
The information on the database included email addresses, IP addresses, and details of support cases. While Microsoft stated that the majority these records didn’t contain personal user information, these details could still be used maliciously.
The database was spotted and reported to Microsoft by Bob Diachenko, a security researcher with Security Discovery.
The leaky customer support database consisted of a cluster of five Elasticsearch servers, a technology used to simplify search operations, Diachenko told ZDNet today. All five servers stored the same data, appearing to be mirrors of each other.
Diachenko said Microsoft secured the exposed database on the same day he reported the issue to the OS maker, despite being New Year’s Eve.
“I have been in touch with the Microsoft team helping and supporting them to properly investigate it,” Diachenko told ZDNet.
You can read the full article from ZDNet by clicking here.
While this is a worrying security breach, the positive news is that Microsoft have responded it well – and reports that it “found no malicious use” of the data.
The company not only worked immediately to plug the breach on New Year’s Eve, but has also already begun notifying users who had been affected by it. This hopefully means that the impact should be minimal.