Microsoft this week confirmed that it inadvertently uncovered info associated to hundreds of shoppers following a safety lapse that left an endpoint publicly accessible over the web sans any authentication.
“This misconfiguration resulted within the potential for unauthenticated entry to some enterprise transaction knowledge akin to interactions between Microsoft and potential prospects, such because the planning or potential implementation and provisioning of Microsoft providers,” Microsoft mentioned in an alert.
The misconfiguration of the Azure Blob Storage was noticed on September 24, 2022, by cybersecurity firm SOCRadar, which termed the leak BlueBleed. Microsoft mentioned it is within the means of immediately notifying impacted prospects.
The Home windows makers didn’t disclose the dimensions of the info leak, however based on SOCRadar, it impacts greater than 65,000 entities in 111 nations. The publicity quantities to 2.4 terabytes of information that consists of invoices, product orders, signed buyer paperwork, accomplice ecosystem particulars, amongst others.
“The uncovered knowledge embrace recordsdata dated from 2017 to August 2022,” SOCRadar mentioned.
Microsoft, nevertheless, has disputed the extent of the problem, stating the info included names, electronic mail addresses, electronic mail content material, firm title, and cellphone numbers, and hooked up recordsdata regarding enterprise “between a buyer and Microsoft or a certified Microsoft accomplice.”
It additionally claimed in its disclosure that the risk intel firm “vastly exaggerated” the scope of the issue as the info set comprises “duplicate info, with a number of references to the identical emails, tasks, and customers.”
On prime of that, Redmond expressed its disappointment over SOCRadar’s determination to launch a public search device that it mentioned exposes prospects to pointless safety dangers.
SOCRadar, in a follow-up submit on Thursday, likened the BlueBleed search engine to knowledge breach notification service “Have I Been Pwned,” enabling organizations to look if their knowledge was uncovered in a cloud knowledge leak.
The cybersecurity vendor additionally mentioned it has quickly suspended any BlueBleed queries as of October 19, 2022, following Microsoft’s request.
“Microsoft being unable (learn: refusing) to inform prospects what knowledge was taken and apparently not notifying regulators – a authorized requirement – has the hallmarks of a serious botched response,” safety researcher Kevin Beaumont tweeted. “I hope it is not.”
Beaumont additional mentioned the Microsoft bucket “has been publicly listed for months” by providers like Grayhat Warfare and that “it is even in serps.”
There isn’t any proof that the knowledge was improperly accessed by risk actors previous to the disclosure, however such leaks might be exploited for malicious functions akin to extortion, social engineering assaults, or a fast revenue.
“Whereas a few of the knowledge that will have been accessed appears trivial, if SOCRadar is right in what was uncovered, it might embrace some delicate details about the infrastructure and community configuration of potential prospects,” Erich Kron, safety consciousness advocate at KnowBe4, advised The Hacker Information in an electronic mail.
“This info might be beneficial to potential attackers who could also be on the lookout for vulnerabilities inside one among these organizations’ networks.”
