Originally posted on Bleeping Computer by Sergiu Gatlan
Microsoft said today that some of its customers’ sensitive information was exposed by a misconfigured Microsoft server accessible over the Internet.
The company secured the server after being notified of the leak on September 24, 2022 by security researchers at threat intelligence firm SOCRadar.
“This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services,” the company revealed.
“Our investigation found no indication customer accounts or systems were compromised. We have directly notified the affected customers.”
According to Microsoft, the exposed information includes names, email addresses, email content, company name, and phone numbers, as well as files linked to business between affected customers and Microsoft or an authorized Microsoft partner.
Redmond added that the leak was caused by the “unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem” and not due to a security vulnerability.
Leaked data allegedly linked to 65,000 entities worldwide
While Microsoft refrained from providing any additional details regarding this data leak, SOCRadar revealed in a blog post published today that the data was stored on misconfigured Azure Blob Storage.
In total, SOCRadar claims it was able to link this sensitive information to more than 65,000 entities from 111 countries stored in files dated from 2017 to August 2022.
“On September 24, 2022, SOCRadar’s built-in Cloud Security Module detected a misconfigured Azure Blob Storage maintained by Microsoft containing sensitive data from a high-profile cloud provider,” SOCRadar said.
The threat intel company added that, from its analysis, the leaked data “includes Proof-of-Execution (PoE) and Statement of Work (SoW) documents, user information, product orders/offers, project details, PII (Personally Identifiable Information) data, and documents that may reveal intellectual property.”
Microsoft added today that it believes SOCRadar “greatly exaggerated the scope of this issue” and “the numbers.”
Furthermore, Redmond said that SOCRadar’s decision to collect the data and make it searchable using a dedicated search portal “is not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk.”
Online tool to search the leaked data
SOCRadar’s data leak search portal is named BlueBleed and it allows companies to find if their sensitive info was also exposed with the leaked data.
Besides what was found inside Microsoft’s misconfigured server, BlueBleed also allows searching for data collected from five other public storage buckets.
In Microsoft’s server alone, SOCRadar claims to have found 2.4 TB of data containing sensitive information, with more than 335,000 emails, 133,000 projects, and 548,000 exposed users discovered while analyzing the leaked files until now.
Per SOCRadar’s analysis, these files contain customer emails, SOW documents, product offers, POC (Proof of Concept) works, partner ecosystem details, invoices, project details, customer product price list, POE documents, product orders, signed customer documents, internal comments for customers, sales strategies, and customer asset documents.
“Threat actors who may have accessed the bucket may use this information in different forms for extortion, blackmailing, creating social engineering tactics with the help of exposed information, or simply selling the information to the highest bidder on the dark web and Telegram channels,” SOCRadar warned.
A SOCRadar spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.
Update October 19, 14:44 EDT: Added more info on SOCRadar’s BlueBleed portal.