Thousands of Microsoft customer records found on a public server
The tech giant claims security researchers have greatly exaggerated the scope of the issue
Microsoft has been accused of leaving thousands of customer records open to the public on a misconfigured server, and only taking steps to secure it after receiving a warning from a security research firm.
Researchers at SOCRadar, a cyber security company, said they had detected sensitive data belonging to 65,000 entities in 111 countries on a misconfigured Azure Blob Storage server, it revealed on Thursday.
Solve cyber resilience challenges with storage solutions
Fundamental capabilities of cyber-resilient IT infrastructure
First discovered on 24 September, the firm found 2.4 terabytes of data publicly available, containing sensitive information belonging to Microsoft and its customers, including data on files dated between 2017 and August 2022. Researchers have said the data contained over 335,000 emails, 133,000 projects, and 548,000 exposed users.
The exposed files also included Proof-of-Execution (PoE) and Statement of Work (SoW) documents, user information, product orders/offers, project details, PII (Personally Identifiable Information) data, and documents that may reveal intellectual property.
Once SOCRadar detected the data, its researchers investigated a storage area in a bucket where SQLServer backups are stored. Further investigations of the backups led researchers to discover links between the misconfigured bucket and other Azure Blob Storages. The company claimed that the amount and scale of the leaked data made it the most significant B2B data leak in the recent history of cyber security.
The research team informed Microsoft of the leak on 24 September, which then reconfigured the server to make it private within several hours. The pair then collaborated on investigating the leak and successfully mitigated the risk of exposure.
Microsoft has said it has found no indication that customer accounts or systems have been compromised as a result, but it has notified those affected by the incident directly.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
It said the data included names, email addresses, email content, company name, and phone numbers, and may have included attached files relating to business between a customer and Microsoft, or an authorised Microsoft partner.
However, Microsoft has accused SOCRadar of exaggerating the severity of the incident, which has been blamed on an unintentional misconfiguration on an endpoint and not the result of a security vulnerability. Microsoft also claimed the server was not in use across the Microsoft ecosystem.
“We appreciate SOCRadar informing us about the misconfigured endpoint, but after reviewing their blog post, we first want to note that SOCRadar has greatly exaggerated the scope of this issue,” stated the company. “Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users. We take this issue very seriously and are disappointed that SOCRadar exaggerated the numbers involved in this issue even after we highlighted their error.”
SOCRadar has also provided a free service where companies can search their company names to see if they are impacted by any of the leaks. In response, Microsoft said it was disappointed by the release of a search tool, adding it was not in the best interest of ensuring customer privacy or security, and potentially exposing them to unnecessary risk.
It recommended that if security companies want to provide a similar tool, they should follow basic measures to enable data protection and privacy. This includes implementing a reasonable verification system, following data minimisation principles to ensure information is only delivered to that verified user, and not giving information out that belongs to different customers.
Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.