Although Microsoft ensure that the exposed data didn't contain any personal identifiable information and neither it was used for malicious purpose.
Microsoft got the notification of misconfiguration on December 5, 2019 and upon notification of the issue, engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access.
We are committed to the privacy and security of our customers and are taking action to prevent future occurrences of this issue. These actions include:
- Auditing the established network security rules for internal resources.
- Expanding the scope of the mechanisms that detect security rule misconfigurations.
- Adding additional alerting to service teams when security rule misconfigurations are detected.
- Implementing additional redaction automation.
Microsoft apologize for the issue cause, and reassure to take this matter seriously on priority basis, and also use best security measures to prevent such kind of issues in future.