Microsoft server misconfiguration makes customer emails and contact information public

Image:

Microsoft server misconfiguration makes customer emails and contact information public

SOCRadar says the leak exposed data of more than 65,000 entities across 111 countries, Microsoft says this is an exaggeration

Microsoft on Wednesday disclosed details of a server misconfiguration that may have compromised some potential customers' data in September.

The Microsoft Security Response Center (MSRC) revealed in an online post that security researchers at SOCRadar had informed the company about a misconfigured Microsoft endpoint on September 24, 2022.

According to Microsoft, the misconfiguration might have allowed unauthorised access to certain business transaction data relating to interactions between the company and potential customers, such as the preparation for and deployment of Microsoft services.

After being alerted of the misconfiguration, Microsoft quickly secured the endpoint, which is now only accessible with the required credentials.

Names, email addresses, email content, company names and phone numbers were among the data exposed. It may have included attachment files relating to business between the customer and Microsoft or an authorised Microsoft partner.

According to Microsoft, the unintended configuration did not arise from a security flaw and affected one endpoint that was not in use across the Microsoft ecosystem.

A company investigation discovered no evidence that any systems or customer accounts were accessed.

While Microsoft did not specify how many potential customers were exposed as a result of the misconfiguration, SOCRadar, which refers to the exposure as BlueBleed, stated that the leak exposed data of more than 65,000 entities across 111 countries.

The SOCRadar researchers also claimed that 2.4 TB of data, including 335,000 emails and proof-of-execution and statement-of-work documents, were leaked on Azure Blob Storage instance.

The files were created between 2017 to August 2022, they added.

Microsoft rejected SOCRadar's assertions on the scope of the breach, claiming that SOCRadar 'exaggerated the numbers involved in this issue'.

An analysis of the data set revealed duplicate information, with several references to the same emails, projects, and users, the software company said.

"We take this issue very seriously and are disappointed that SOCRadar exaggerated the numbers involved in this issue even after we highlighted their error," it noted.

In addition, Redmond said that SOCRadar's decision to make a search tool available to the general public was not in the best interests of safeguarding privacy or security of customers and potentially exposes them to unnecessary risk.

Microsoft advised any security firm that wants to provide a comparable tool to take the following basic precautions to allow data safety and privacy:

to put in place a workable verification system to ensure a user is who they say they are;
to adhere to the rules of data minimisation by restricting the information included in the results delivered to that verified user;
Not to expose information (including metadata/filenames) that could belong to another customer to a specific user where the firm is unable to identify with reasonable fidelity which customers had their data affected.