By: Ravie Lakshmanan
Microsoft this week confirmed that it inadvertently exposed information related to thousands of customers following a security lapse that left an endpoint publicly accessible over the internet sans any authentication.
“This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services,” Microsoft said in an alert.
The misconfiguration of the Azure Blob Storage was spotted on September 24, 2022, by cybersecurity company SOCRadar, which termed the leak BlueBleed. Microsoft said it’s in the process of directly notifying impacted customers.
The Windows maker did not reveal the scale of the data leak, but according to SOCRadar, it affects more than 65,000 entities in 111 countries. The exposure amounts to 2.4 terabytes of data that consists of invoices, product orders, signed customer documents, partner ecosystem details, among others.
“The exposed data include files dated from 2017 to August 2022,” SOCRadar said.
Microsoft, however, has disputed the extent of the issue, stating the data included names, email addresses, email content, company name, and phone numbers, and attached files relating to business “between a customer and Microsoft or an authorized Microsoft partner.”
It also claimed in its disclosure that the threat intel company “greatly exaggerated” the scope of the problem as the data set contains “duplicate information, with multiple references to the same emails, projects, and users.”
On top of that, Redmond expressed its disappointment over SOCRadar’s decision to release a public search tool that it said exposes customers to unnecessary security risks.
SOCRadar, in a follow-up post on Thursday, likened the BlueBleed search engine to data breach notification service “Have I Been Pwned,” enabling organizations to search if their data was exposed in a cloud data leak.
The cybersecurity vendor also said it has temporarily suspended all BlueBleed queries in the Threat Hunting module it offers to its customers as of October 19, 2022, following Microsoft’s request.
“Microsoft being unable (read: refusing) to tell customers what data was taken and apparently not notifying regulators – a legal requirement – has the hallmarks of a major botched response,” security researcher Kevin Beaumont tweeted. “I hope it isn’t.”
Beaumont further said the Microsoft bucket “has been publicly indexed for months” by services like Grayhat Warfare and that “it’s even in search engines.”
There is no evidence that the information was improperly accessed by threat actors prior to the disclosure, but such leaks could be exploited for malicious purposes such as extortion, social engineering attacks, or a quick profit.
“While some of the data that may have been accessed seems trivial, if SOCRadar is correct in what was exposed, it could include some sensitive information about the infrastructure and network configuration of potential customers,” Erich Kron, security awareness advocate at KnowBe4, told The Hacker News in an email.
“This information could be valuable to potential attackers who may be looking for vulnerabilities within one of these organizations’ networks.”