Microsoft Security Breach Again

Microsoft confirmed this week that it inadvertently leaked information about thousands of customers following a vulnerability that left public-facing web-facing endpoints without authentication. “This misconfiguration could have resulted in unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospects. B. Planned or potential Microsoft services implementation and delivery,” Microsoft said in a warning. Microsoft also emphasized that the B2B leak was “caused by an unintentional misconfiguration of an endpoint not used throughout the Microsoft ecosystem and not the result of a security vulnerability.”

The Azure Blob Storage misconfiguration was discovered by cybersecurity firm SOCRadar on September 2 , 2022, and the leak he named BlueBleed. Microsoft said it was in the process of notifying affected customers directly. The manufacturer of Windows has not disclosed the extent of the data breach, but according to SOCRadar, he affected more than 65,000 businesses in 111 countries. The exposure amounts to 2. terabytes of data that consists of invoices, product orders, signed customer documents, partner ecosystem details, among others. “The exposed data include files dated from 2017 to August 2022,” SOCRadar said. Microsoft, however, has disputed the extent of the issue, stating the data included names, email addresses, email content, company name, and phone numbers, and attached files relating to business “between a customer and Microsoft or an authorized Microsoft partner.” It also claimed in its disclosure that the threat intel company “greatly exaggerated” the scope of the problem as the data set contains “duplicate information, with multiple references to the same emails, projects, and users.”

Microsoft On top of that, Redmond expressed its disappointment over SOCRadar’s decision to release a public search tool that it said exposes customers to unnecessary security risks. SOCRadar, in a follow-up post on Thursday, likened the BlueBleed search engine to data breach notification service “Have I Been Pwned,” describing it as a way for organizations to search if their data was exposed in a cloud data leak. The cybersecurity vendor also said it has temporarily suspended all BlueBleed queries in the Threat Hunting module it offers to its customers as of October 19, 2022, following Microsoft’s request.

CyberSecurity “Microsoft being unable (read: refusing) to tell customers what data was taken and apparently not notifying regulators – a legal requirement – has the hallmarks of a major botched response,” security researcher Kevin Beaumont tweeted. “I hope it isn’t.” Beaumont further said the Microsoft bucket “has been publicly indexed for months” by services like Grayhat Warfare and that “it’s even in search engines.” There is no evidence that the information was improperly accessed by threat actors prior to the disclosure, but such leaks could be exploited for malicious purposes such as extortion, social engineering attacks, or a quick profit.

“While some of the data that may have been accessed seems trivial, if SOCRadar is correct in what was exposed, it could include some sensitive information about the infrastructure and network configuration of potential customers,” Erich Kron, security awareness advocate at KnowBe , told The Hacker News in an email. “This information could be valuable to potential attackers who may be looking for vulnerabilities within one of these organizations’ networks.”