According to the company – nothing happened.
The vulnerability originally mentioned was discovered on December 29 by security researchers Bob Diachenko and Comparitech. Microsoft quickly corrected the problem only two days later. So what was the mistake? According to the Redmond giant from misconfiguration of one of the internal databases dedicated to customer service. The company also claims that found no evidence or evidence that the base was used or compromised by cyber criminals.
Microsoft also claims that the vast majority of the disclosed data has been edited. Some information, such as IP addresses and email addresses, was in plain text. If someone could access the logs in the database, they could use them to impersonate company employees in the context of a phishing attack.
"We want to sincerely apologize to our users while ensuring that we have taken all steps to ensure that the situation does not happen again in the future" – Microsoft forwarded in an official statement regarding the situation described.
After exposing user data, Microsoft is about to carry out full audit of internal security rules, and implement additional tools that will automatically edit sensitive customer information. The American company has also created new alerts that are to notify service teams immediately if they detect an incorrect configuration in security.
This is Microsoft's second major incident related to data security over 2019 and 2020. It remains to be hoped that there will be no more.