In response to a security mistake that left an endpoint publicly available over the internet without any authentication, Microsoft this week acknowledged that it unintentionally exposed information pertaining to thousands of customers.
According to a warning from Microsoft, “this misconfiguration created the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and potential customers, such as the planning or potential implementation and provisioning of Microsoft services.”
Microsoft highlighted that there was no security flaw to blame for the B2B leak, which was “triggered by an unintended misconfiguration on an endpoint that is not in use across the Microsoft ecosystem.”
Security firm SOCRadar discovered the Azure Blob Storage configuration error on September 24, 2022, and named the leak BlueBleed. Microsoft stated that it is currently immediately informing affected customers.
The data leak’s scope was not disclosed by the developer of Windows, but according to SOCRadar, it impacts over 65,000 companies across 111 nations. 2.4 terabytes of data were exposed, including invoices, product orders, signed client documents, partner ecosystem information, and more.
According to SOCRadar, “The exposed data contain files dated from 2017 to August 2022.”
However, Microsoft has contested the scope of the problem, claiming that the information in question included names, email addresses, email content, company names, phone numbers, and attached files pertaining to transactions “between a customer and Microsoft or an authorized Microsoft partner.”
Furthermore, it stated in its disclosure that the data set contained “duplicate material, with several references to the same emails, projects, and people,” indicating that the threat intelligence business “greatly overstated” the severity of the issue.
Additionally, Redmond highlighted its dissatisfaction with SOCRadar’s choice to make a public search function available, claiming that doing so exposes users to unnecessarily high security risks.
In a follow-up post published on Thursday, SOCRadar compared the BlueBleed search engine to the “Have I Been Pwned” data breach notification tool, presenting it as a way for businesses to determine whether their data had been compromised in a cloud data leak.
According to the cybersecurity provider, as of October 19, 2022, all BlueBleed inquiries in the Threat Hunting module it makes available to its clients have been temporarily suspended at Microsoft’s request.
Microsoft appears to have neglected to alert authorities, which is required by law, and is unable (read: unwilling) to inform customers about the data that was stolen, according to security researcher Kevin Beaumont. “I really hope not.”
In addition, Beaumont said that the Microsoft bucket “has been openly indexed for months” and “it’s even in search engines.”
Although there is no proof that threat actors inappropriately accessed the data prior to its dissemination, such breaches could still be used for evil intentions like extortion, social engineering attacks, or a quick buck.
Erich Kron, security awareness advocate at KnowBe4 stated that, “While some of the data that may have been accessed seems trivial, if SOCRadar is correct in what was exposed, it could include some sensitive information about the infrastructure and network configuration of potential customers.”
Potential attackers who could be searching for weaknesses in the networks of one of these businesses might find this information useful.