Microsoft shared details surrounding a security breach from last December that involved roughly 250 million entries. The data came from an internal customer support database consisting of mostly anonymized user analytics. The data was exposed between December 5 and December 31. Microsoft discloses the details surrounding the breach in a blog post.
Bob Diachenko, a security researcher with Security Discovery, spotted the security breach and alerted Microsoft of the issue. Diachenko shared more details on Twitter. Diachenko pointed out that Microsoft jumped on the issue quickly and solved it within a day, even though it was New Year’s Eve.
Diachenko spoke to ZDNet and specified that the database consisted of a cluster of five Elasticsearch servers. The five servers stored the same data.
Microsoft’s investigation found no malicious use of the data, and Microsoft points out that the “vast majority of records were cleared of personal information in accordance with our standard practices.” There were exceptions, however, in which case, people’s personal data was exposed. Microsoft states that “if the information [was] in a non-standard format, such as an email address separated with spaces instead of written in a standard format (for example, “XYZ @contoso com” vs “XYZ@contoso.com)” then personal data may have remained unredacted. Microsoft already began notifying people whose data was not anonymized.
Microsoft will take a series of actions to reduce the chances of a similar breach happening in the future, as outlined in its blog post:
Auditing the established network security rules for internal resources.
Expanding the scope of the mechanisms that detect security rule misconfigurations.
Adding additional alerting to service teams when security rule misconfigurations are detected.
Implementing additional redaction automation.
Microsoft states that the security breach occurred due to misconfigured Azure security rules that were deployed on December 5, which have since been fixed.
We may earn a commission for purchases using our links. Learn more.
<br />
<img src="https://i0.wp.com/www.ultimatepocket.com/wp-content/uploads/2020/01/microsoft-shares-details-of-a-security-breach-of-customer-support-database.jpg?w=640&ssl=1" alt="You can now manually check for the Windows 10 November 2019 Update" data-recalc-dims="1"><br />
<br />
<img src="https://i2.wp.com/www.ultimatepocket.com/wp-content/uploads/2020/01/microsoft-shares-details-of-a-security-breach-of-customer-support-database-1.jpg?w=640&ssl=1" alt="Xbox basically just buried Google Stadia with latest Project xCloud update" data-recalc-dims="1"><br />
<br />
<img src="https://i0.wp.com/www.ultimatepocket.com/wp-content/uploads/2020/01/microsoft-shares-details-of-a-security-breach-of-customer-support-database-2.jpg?w=640&ssl=1" alt="Don't sleep on the indie games available with Xbox Game Pass for PC" data-recalc-dims="1"><br />
<br />
<img src="https://i2.wp.com/www.ultimatepocket.com/wp-content/uploads/2020/01/microsoft-shares-details-of-a-security-breach-of-customer-support-database-3.jpg?w=640&ssl=1" alt="These VR flight simulators and games soar above the rest" data-recalc-dims="1"><br />
Kommentare