On Wednesday, Microsoft said it had completed work to fix a security vulnerability. As early as December 2019, a serious bug that leaked the customer database was exposed. Fortunately, no data has been found to have been used maliciously. On December 5, an incorrect configuration in Azure Database Security Rules exposed support records for millions of customers, an official blog post said.
(Instagram via Cnet)
After receiving an alert for the problem, the engineer fixed the problem on December 31. Although there are no reports of malicious use of the data, Microsoft is transparently disclosing it to customers.
Unfortunately, misconfiguration is a fairly common error across the industry. We have a solution to prevent this error, but we haven’t enabled these measures for this database yet.
As far as we know, check your configuration regularly and ensure that all feasible measures are enabled to provide more comprehensive protection.
As for most of the customer data stored in the database, personal information has actually been excluded. The company will also contact customers who may not have edited their information.
Bob Diachenko, a security researcher at Comparitech, noted that the security breach was first discovered on December 28, but the company completed the fix two days later after warning Microsoft.
In response, Microsoft said it was taking the following steps to prevent similar accidents in the future:
(1) Review established network security rules in internal resources.
(2) Extend the scope of mechanisms that detect errors in the configuration of security rules.
(3) Additional alerts are attached to the service team when a configuration error is detected.
(4) Implement other feasible automated revisions.