Microsoft this week confirmed that it inadvertently uncovered data associated to 1000’s of shoppers following a safety lapse that left an endpoint publicly accessible over the web sans any authentication.
“This misconfiguration resulted within the potential for unauthenticated entry to some enterprise transaction knowledge comparable to interactions between Microsoft and potential prospects, such because the planning or potential implementation and provisioning of Microsoft providers,” Microsoft stated in an alert.
Microsoft additionally emphasised that the B2B leak was “brought on by an unintentional misconfiguration on an endpoint that isn’t in use throughout the Microsoft ecosystem and was not the results of a safety vulnerability.”
The misconfiguration of the Azure Blob Storage was noticed on September 24, 2022, by cybersecurity firm SOCRadar, which termed the leak BlueBleed. Microsoft stated it is within the means of instantly notifying impacted prospects.
The Windows maker didn’t reveal the dimensions of the info leak, however in accordance with SOCRadar, it impacts greater than 65,000 entities in 111 nations. The publicity quantities to 2.4 terabytes of knowledge that consists of invoices, product orders, signed buyer paperwork, associate ecosystem particulars, amongst others.
“The uncovered knowledge embody recordsdata dated from 2017 to August 2022,” SOCRadar stated.
Microsoft, nevertheless, has disputed the extent of the problem, stating the info included names, e mail addresses, e mail content material, firm identify, and cellphone numbers, and connected recordsdata referring to enterprise “between a buyer and Microsoft or a licensed Microsoft associate.”
It additionally claimed in its disclosure that the menace intel firm “enormously exaggerated” the scope of the issue as the info set incorporates “duplicate data, with a number of references to the identical emails, tasks, and customers.”
On high of that, Redmond expressed its disappointment over SOCRadar’s resolution to launch a public search device that it stated exposes prospects to pointless safety dangers.
SOCRadar, in a follow-up put up on Thursday, likened the BlueBleed search engine to knowledge breach notification service “Have I Been Pwned,” describing it as a approach for organizations to go looking if their knowledge was uncovered in a cloud knowledge leak.
The cybersecurity vendor additionally stated it has briefly suspended all BlueBleed queries within the Threat Hunting module it provides to its prospects as of October 19, 2022, following Microsoft’s request.
“Microsoft being unable (learn: refusing) to inform prospects what knowledge was taken and apparently not notifying regulators – a authorized requirement – has the hallmarks of a serious botched response,” safety researcher Kevin Beaumont tweeted. “I hope it is not.”
Beaumont additional stated the Microsoft bucket “has been publicly listed for months” by providers like Grayhat Warfare and that “it is even in search engines like google.”
There isn’t any proof that the knowledge was improperly accessed by menace actors previous to the disclosure, however such leaks might be exploited for malicious functions similar to extortion, social engineering assaults, or a fast revenue.
“While a few of the knowledge which will have been accessed appears trivial, if SOCRadar is right in what was uncovered, it might embody some delicate details about the infrastructure and community configuration of potential prospects,” Erich Kron, safety consciousness advocate at KnowBe4, instructed The Hacker News in an e mail.
“This data might be invaluable to potential attackers who could also be on the lookout for vulnerabilities inside certainly one of these organizations’ networks.”