This week, Microsoft confessed that the data of thousands of customers were left unsecured and exposed to the public due to a security error.
Microsoft issued an alert and said, “This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services,”
Microsoft emphasized the B2B leak and clarified that it was “caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability.”
The configuration error in the Azure Blob Storage was identified by cybersecurity company SOCRadar which claims that more than 65,000 entities in 111 countries have been affected by the data leak and 2.4 terabytes of data were exposed, including invoices, product orders, signed customer documents, and partner ecosystem details.
SOCRadar said “The exposed data include files dated from 2017 to August 2022,”
But Microsoft has contended that the issue was not as severe as people made it out to be by arguing that the data only included names, email addresses, and business-related content.
Microsoft said: “We appreciate SOCRadar informing us about the misconfigured endpoint, but after reviewing their blog post, we first want to note that SOCRadar has greatly exaggerated the scope of this issue”.
Microsoft added, “Our in-depth investigation and analysis of the dataset show duplicate information, with multiple references to the same emails, projects, and users. We take this issue very seriously and are disappointed that SOCRadar exaggerated the numbers involved in this issue even after we highlighted their error”.
“More importantly, we are disappointed that SOCRadar has chosen to release publicly a ‘search tool’ that is not in the best interest of ensuring customer privacy or security, and potentially exposing them to unnecessary risk.”
SOCRadar explains that its BlueBleed search tool only indicates if a domain name was included in the data dump, and any other information is not publicly accessible.
SOCRadar clarified “What we aim for with the BlueBleed search engine is basically an enterprise version of Have I Been Pwned, where organizations can search if their data was exposed in some of the cloud data leaks our CSM has detected so far,”
“As a cyber threat intelligence company, we owe this to the community”.
“Therefore, we do not see any ‘unnecessary risk’ that endangers customer privacy and security. To be more precise, what poses a greater threat is maintaining sensitive data of organizations in a public bucket”.
“We are highly disappointed about MSRC’s comments and claims after all the cooperation and support provided by us that absolutely prevented the global cyber disaster.”
There’s no proof that cyber criminals or any suspicious actors accessed the information before it was public, such leaks could be used to extort people, social media attacks, or make a quick buck.
Erich Kron, the security awareness advocate at KnowBe4, stated that “While some of the data that may have been accessed seem trivial if SOCRadar is correct in what was exposed, it could include some sensitive information about the infrastructure and network configuration of potential customers.”
He added, “This information could be valuable to potential attackers who may be looking for vulnerabilities within one of these organizations’ networks.”
Marrium Akhtar
November 24, 2022
1 year ago
