Microsoft has blamed a misconfiguration error for the exposure of customer support database records in December.
The records were exposed between Dec. 5 and Dec. 31, when the flaw was remediated by Microsoft engineers, the company said.
Microsoft's investigation into the incident found "no malicious use" of the data. Additionally, "most" of the records in the database--but not all--had been redacted of personal information, the company said.
"Our investigation confirmed that the vast majority of records were cleared of personal information in accordance with our standard practices," Microsoft said in a blog post.
On Dec. 5, a change containing misconfigured security rules was made to the network security group for the customer support database, leading to the exposure of the records data, the company said.
"This issue was specific to an internal database used for support case analytics and does not represent an exposure of our commercial cloud services," Microsoft said in its blog.
A security researcher, Bob Diachenko, uncovered the database exposure and reported it to Microsoft on Dec. 29. Diachenko has said 250 million records were exposed. CRN has reached out to Microsoft to confirm the figure.
In a tweet, Diachenko said the Microsoft security response team responded swiftly after he notified the company. "I applaud the MS support team for responsiveness and quick turnaround on this despite New Year’s Eve," he tweeted.
In its blog, Microsoft thanked Diachenko for reporting the flaw, and said the company is "taking it very seriously and holding ourselves accountable."
"Misconfigurations are unfortunately a common error across the industry," the company said. "We have solutions to help prevent this kind of mistake, but unfortunately, they were not enabled for this database."
Some customer records with personal information did remain in the database due to meeting certain conditions--for instance, if an email address was rendered incorrectly with spaces in it, the company said.
Microsoft has begun notifying customers with data that was present in the exposed database, the company said.