Microsoft confirms blunder results in user data leak

A misconfigured Microsoft endpoint was exposing sensitive data about Microsoft’s customers to the wider internet, the company confirmed in a press release published earlier this week. Announcing the news this Wednesday, the Redmond giant said it was notified about the misconfiguration by threat intelligence firm SOCRadar, in late September, and soon afterwards, plugged the hole. 

The language used in the announcement seems to suggest that the data wasn’t accessed by an authorized third party: “This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers,” the company sad.

These interactions, the company further stated, revolved around planning, potential implementation, and provisioning of Microsoft services. 

No viruses involved

“Our investigation found no indication customer accounts or systems were compromised. We have directly notified the affected customers,” it added. 

Further in the announcement, it was said that the data included customer names, email addresses, contents of the emails, company names, and phone numbers. Furthermore, the endpoint was leaking files related to the work done between clients, Microsoft, and/or authorized partners. 

There were no vulnerability abuses, or malware, involved – it was simply an endpoint misconfiguration, Microsoft confirmed. 

While the company was relatively stingy on details, SOCRadar was happy to provide more insight. In a new blog post, the company said the data resided on an Azure Blob Storage, and that more than 65,000 entities from 111 countries were exposed. The oldest files dated back to 2017.

“On September 24, 2022, SOCRadar’s built-in Cloud Security Module detected a misconfigured Azure Blob Storage maintained by Microsoft containing sensitive data from a high-profile cloud provider,” SOCRadar said. THe data included “Proof-of-Execution (PoE) and Statement of Work (SoW) documents, user information, product orders/offers, project details, PII (Personally Identifiable Information) data, and documents that may reveal intellectual property.”

Microsoft played down SOCRadar’s findings, saying the company “greatly exaggerated” the scope of the issue and the numbers, BleepingComputer reports. It also criticized SOCRadar for indexing the data and building a search portal for it, saying the move was “not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk.”

SOCRadar’s analysis determined 2.4 TB of data were exposed, holding 335,000 emails, details on 133,000 projects, and 548,000 users. 

Via: BleepingComputer