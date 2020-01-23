Microsoft today announced a vulnerability that occurred last December in December 2019.

In a blog post today, the OS maker said that an internal customer support database that stored anonymous user analysis was accidentally exposed online without proper protection between December 5 and December 31.

The database was spotted and reported to Microsoft by Bob Diachenko, a security researcher at Security Discovery.

The leaking customer support database consisted of a cluster of five Elasticsearch servers, a technology used to simplify search operations, Diachenko told ZDNet today. All five servers kept the same data, which seemed to be mirrors to each other.

Diachenko said that Microsoft had secured the exposed database on the same day that he reported the problem to the OS maker, even though it was New Year’s Eve.

“I have been in contact with the Microsoft team that helps and supports them to investigate well,” Diachenko told ZDNet.

Kudos to the MS Security Response Team – I welcome the MS support team for their responsiveness and fast lead time despite New Year’s Eve. https://t.co/PPLRx9X0h4

– Bob Diachenko (@MayhemDayOne) January 22, 2020

The servers contain around 250 million listings, with information such as e-mail addresses, IP addresses, and details of support cases. Microsoft said that most records do not contain personal user information.

“As part of Microsoft’s standard operating procedures, data stored in the support case analysis database is processed using automated tools to remove personal information,” Microsoft said.

In cases where users submitted customer support requests using non-standard formatted data such as (“surname last name @ email domain com” instead of “name.name@email.com”), the data was not detected and edited and remained in the exposed database.

For these cases, Microsoft said it was starting to report affected customers today, although it also added that it found “no malicious use” of the data.

Microsoft blamed the accidental server exposure for incorrectly configured Azure security rules that it had implemented on December 5 and is now resolved. After the leak, Microsoft says it is now: