Microsoft announced in an email to Azure users that it has corrected an issue identified by a third-party security researcher where a database containing a subset of information related to customer support interactions was accessible to the internet between the dates of December 5, 2019 and December 31, 2019.
According to Microsoft, this issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services. Once identified, Microsoft mitigated the issue, and our security team’s investigation found no indication of malicious use of the database records. Our analysis of the support information indicates that specific personal or organizational identifiable information related to your support case was potentially visible.
As a result of this issue, the support data exposed may include the following:
- System generated data related to support cases such as:
- Resource location
- Contact information provided to support agents or contained in customer support requests:
- Email addresses
- Telephone numbers
- Internet Protocol (IP) addresses
- Information shared with support agents as part of the support case interaction such as:
- Descriptions of technical issues
- Issue reproduction steps
- Information shared to assist support agents with troubleshooting
Microsoft determined that this information was potentially exposed due to a misconfiguration of network security group security rules.
Microsoft engineers determined that a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the database information. Upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access.