Thousands of Microsoft customer records found on a public server

Microsoft has been accused of leaving thousands of customer records open to the public on a misconfigured server, and only taking steps to secure it after receiving a warning from a security research firm.

Researchers at SOCRadar, a cyber security company, said they had detected sensitive data belonging to 65,000 entities in 111 countries on a misconfigured Azure Blob Storage server, it revealed on Thursday.

First discovered on 24 September, the firm found 2.4 terabytes of data publicly available, containing sensitive information belonging to Microsoft and its customers, including data on files dated between 2017 and August 2022. Researchers have said the data contained over 335,000 emails, 133,000 projects, and 548,000 exposed users.

The exposed files also included Proof-of-Execution (PoE) and Statement of Work (SoW) documents, user information, product orders/offers, project details, PII (Personally Identifiable Information) data, and documents that may reveal intellectual property.

Once SOCRadar detected the data, its researchers investigated a storage area in a bucket where SQLServer backups are stored. Further investigations of the backups led researchers to discover links between the misconfigured bucket and other Azure Blob Storages. The company claimed that the amount and scale of the leaked data made it the most significant B2B data leak in the recent history of cyber security.

The research team informed Microsoft of the leak on 24 September, which then reconfigured the server to make it private within several hours. The pair then collaborated on investigating the leak and successfully mitigated the risk of exposure.

Microsoft has said it has found no indication that customer accounts or systems have been compromised as a result, but it has notified those affected by the incident directly.

It said the data included names, email addresses, email content, company name, and phone numbers, and may have included attached files relating to business between a customer and Microsoft, or an authorised Microsoft partner.

However, Microsoft has accused SOCRadar of exaggerating the severity of the incident, which has been blamed on an unintentional misconfiguration on an endpoint and not the result of a security vulnerability. Microsoft also claimed the server was not in use across the Microsoft ecosystem.

“We appreciate SOCRadar informing us about the misconfigured endpoint, but after reviewing their blog post, we first want to note that SOCRadar has greatly exaggerated the scope of this issue,” stated the company. “Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users. We take this issue very seriously and are disappointed that SOCRadar exaggerated the numbers involved in this issue even after we highlighted their error.”

SOCRadar has also provided a free service where companies can search their company names to see if they are impacted by any of the leaks. In response, Microsoft said it was disappointed by the release of a search tool, adding it was not in the best interest of ensuring customer privacy or security, and potentially exposing them to unnecessary risk.

It recommended that if security companies want to provide a similar tool, they should follow basic measures to enable data protection and privacy. This includes implementing a reasonable verification system, following data minimisation principles to ensure information is only delivered to that verified user, and not giving information out that belongs to different customers.