Skip to main content

Digital Trends may earn a commission when you buy through links on our site. Why trust us?

Microsoft reveals a security breach of an internal customer support database

Microsoft announced today that an internal customer support database experienced a security breach in December 2019.

The technology company’s announcement came via a blog post published on Wednesday, January 22 on the Microsoft Security Response Center blog. According to the post, the breach occurred on December 5, 2019 and involved the “misconfiguration of an internal customer support database used for Microsoft support case analytics.” Essentially, the breach occurred when a change was made to the database’s network security group. This change carried with it “misconfigured security rules” which then caused the exposure of customer data. And according to ZDNet, the servers affected by the breach “contained roughly 250 million entries, with information such as email addresses, IP addresses, and support case details.”

This misconfiguration came to Microsoft’s attention on December 31, 2019 and was fixed that day as well. Microsoft was alerted to the breach by security researcher Bob Diachenko of Security Discovery.

According to Microsoft’s blog post, the security breach only involved “an internal database used for support case analytics” and Microsoft maintains that the breach didn’t involve an exposure of its commercial cloud services. In addition, Microsoft’s investigation into the matter found that there was “no malicious use” and that, for the most part, its customers “did not have personally identifiable information exposed.” But there is a caveat. While most customers may be unaffected by the breach because of company practices requiring the redaction of personal information via automated tools, the technology company did say that some customer data may have been exposed in the breach due to the following exception:

“In some scenarios, the data may have remained unredacted if it met specific conditions. An example of this occurs if the information is in a non-standard format, such as an email address separated with spaces instead of written in a standard format (for example, ‘XYZ @contoso com’ vs ‘’).”

Microsoft has said that for these special cases, it has started to notify the customers whose data may have been exposed in the breach. The software and technology company also said that it is planning on implementing the following practices to help prevent such a breach in the future:

  • Auditing the established network security rules for internal resources.
  • Expanding the scope of the mechanisms that detect security rule misconfigurations.
  • Adding additional alerting to service teams when security rule misconfigurations are detected.
  • Implementing additional redaction automation.

Editors' Recommendations

Anita George
Anita has been a technology reporter since 2013 and currently writes for the Computing section at Digital Trends. She began…
Microsoft reveals new secret weapon against cybercrime
Window's new Microsoft Security Experts program works to protect users from cybercrime using.

Microsoft announced a new cybersecurity-based initiative that will allow small businesses and huge enterprises alike to tap into the tech giant’s in-house security services and personnel.

Named Microsoft Security Experts, the program will offer security services in the form of three distinct platforms.

Read more
Cash App breach impacts millions of U.S. customers
Cash App for mobile payments.

Block, formerly Square, has revealed a security breach impacting up to 8.2 million current and former users of Cash App, its mobile payment and investment service.

The San Francisco-based company said in a recent filing with the U.S. Securities and Exchange Commission that the breach was an inside job allegedly carried out by a former employee.

Read more
Frustrated security researcher discloses Windows zero-day bug, blames Microsoft
Laptop sitting on a desk showing Windows 11's built-in Microsoft Teams experience.

There's a new zero-day issue in Windows, and this time the bug has been disclosed to the public by an angry security researcher. The vulnerability relates to users leveraging the command prompt with unauthorized system privileges to share dangerous content through the network.

According to a report from Bleeping Computer, Abdelhamid Naceri, the security researcher who disclosed this bug, is frustrated with Microsoft over payouts from the bug bounty program. Bounties have apparently been downgraded significantly over the past two years. Naceri isn't alone, either. One Twitter user reported in 2020 that zero-day vulnerabilities no longer pay $10,000 and are now valued at $1,000. Earlier this month, another Twitter user reported that bounties can be reduced at any time.

Read more