The unsecured FTP server was intended to allow customers to download patches and fixes and upload files for analysis by Microsoft technical support staff.
Marketing staff at the company evidently mistook it for an internal server and have been storing confidential details and other documents, unaware that these could be accessed from the Internet.
It is estimated that 18 million addresses were contained in two compressed, password-protected files, but the protection could readily be cracked using simple tools that are available on the Web.
A spokesman said the company is investigating a potential policy breach because the server was not designated as a secure resource and storing sensitive information was prohibited.
Chris Wysopal, director of research and development for digital security specialist @Stake, said ensuring that people observe security policies is crucial. "Companies need enforceable policies. A bank is much more than just a vault - it is people following approved processes."
The discovery of such a blatant flouting of security policy is being seen as a blow to Microsoft's attempts to establish itself as a security-conscious organisation through its Trustworthy Computing initiative launched last January.
Since then it has issued 65 security bulletins, primarily fixes for buffer overruns, and held up the release of several products to try to change the perception of its products as being buggy and insecure.