Microsoft Warns A Month Old Data Breach May Have Exposed Customer Details To Hackers
On September 24, the cyber threat intelligence company SOCRadar notified Microsoft that one of its Azure Blob Storage servers was misconfigured and leaking customer information. Now, almost a month later, both Microsoft and SOCRadar have released blog posts warning businesses that some of their transaction data and communications with Microsoft and authorized Microsoft partners may may been exposed in this leak.
According to SOCRadar, 2.4 TB of data relating to more than 65,000 companies from 111 countries was publicly available as a result of this server misconfiguration. The cybersecurity firm’s analysis has so far discovered more than 335,000 emails, 133,000 projects, and 548,000 users exposed in this data. However, Microsoft disputes these numbers, claiming in its blog post that “SOCRadar has greatly exaggerated the scope of this issue.” The blog post goes on to say that the exposed database includes duplicate information and repeated references, implying that SOCRadar’s numbers don’t accurately represent the number of unique emails, projects, and users exposed by this leak.
According to SOCRadar, 2.4 TB of data relating to more than 65,000 companies from 111 countries was publicly available as a result of this server misconfiguration. The cybersecurity firm’s analysis has so far discovered more than 335,000 emails, 133,000 projects, and 548,000 users exposed in this data. However, Microsoft disputes these numbers, claiming in its blog post that “SOCRadar has greatly exaggerated the scope of this issue.” The blog post goes on to say that the exposed database includes duplicate information and repeated references, implying that SOCRadar’s numbers don’t accurately represent the number of unique emails, projects, and users exposed by this leak.
Microsoft’s blog post also expresses disappointment in SOCRadar’s choice to make publicly available a search tool that let’s anyone check whether a domain appears in the exposed data. Microsoft argues that SOCRadar should hide the search tool behind some form of identity verification system requiring that users prove their connection to an organization before entering its domain name into the tool and receiving a result.
However, SOCRadar has pushed back against Microsoft’s criticism, making clear that it doesn’t hold a copy of the data. The search tool instead searches the metadata for domain names, informs users whether a particular domain name was caught up in the leak, and points users to the Microsoft Security Response Center (MSRC) if they want to know more about the exposed data associated with a particular company.
Microsoft, on its part, doesn’t seem particularly forthcoming when it comes to informing companies about the exact contents of the exposed data. One Twitter user shared the notice his company received from Microsoft, which read, “We’ve identified that your organization was in scope of this incident. Affected data types that may have been involved included names, email addresses, company name, address, or phone numbers. We are unable to provide the specific affected data from this issue.” The user ended up opening a ticket with Microsoft support in the hopes of receiving more information about the affected data. However, after some back-and-forth discussion, Microsoft support automatically archived the ticket, stating that “there is no other available information for the case.”
According to SOCRadar, the exposed files include Proof-of-Execution (PoE) documents, Statement-of-Work (SoW) documents, invoices, product orders, product offers, project details, signed customer documents, Proof-of-Concept (POC) works, customer emails, customer product price list and customer stocks, internal comments for customers, sales strategies, customer asset documents, and partner ecosystem details. These files stretch from 2017 to August 2022. Cybersecurity researcher Kevin Beumont says that the database has been available and publicly indexed for months, with searchable cached versions available on the open web for all to see. Microsoft may have fixed the server configuration, but the nightmare for organizations affected by this leak is likely just beginning.
Microsoft, on its part, doesn’t seem particularly forthcoming when it comes to informing companies about the exact contents of the exposed data. One Twitter user shared the notice his company received from Microsoft, which read, “We’ve identified that your organization was in scope of this incident. Affected data types that may have been involved included names, email addresses, company name, address, or phone numbers. We are unable to provide the specific affected data from this issue.” The user ended up opening a ticket with Microsoft support in the hopes of receiving more information about the affected data. However, after some back-and-forth discussion, Microsoft support automatically archived the ticket, stating that “there is no other available information for the case.”
According to SOCRadar, the exposed files include Proof-of-Execution (PoE) documents, Statement-of-Work (SoW) documents, invoices, product orders, product offers, project details, signed customer documents, Proof-of-Concept (POC) works, customer emails, customer product price list and customer stocks, internal comments for customers, sales strategies, customer asset documents, and partner ecosystem details. These files stretch from 2017 to August 2022. Cybersecurity researcher Kevin Beumont says that the database has been available and publicly indexed for months, with searchable cached versions available on the open web for all to see. Microsoft may have fixed the server configuration, but the nightmare for organizations affected by this leak is likely just beginning.
