Microsoft data breach exposes customers’ contact info, emails

Microsoft said today that some of its customers' sensitive information was exposed by a misconfigured Microsoft server accessible over the Internet.

The company secured the server after being notified of the leak on September 24, 2022 by security researchers at threat intelligence firm SOCRadar.

"This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services," the company revealed.

"Our investigation found no indication customer accounts or systems were compromised. We have directly notified the affected customers."

According to Microsoft, the exposed information includes names, email addresses, email content, company name, and phone numbers, as well as files linked to business between affected customers and Microsoft or an authorized Microsoft partner.

Redmond added that the leak was caused by the "unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem" and not due to a security vulnerability.

Leaked data allegedly linked to 65,000 entities worldwide

While Microsoft refrained from providing any additional details regarding this data leak, SOCRadar revealed in a blog post published today that the data was stored on misconfigured Azure Blob Storage.

In total, SOCRadar claims it was able to link this sensitive information to more than 65,000 entities from 111 countries stored in files dated from 2017 to August 2022.

"On September 24, 2022, SOCRadar's built-in Cloud Security Module detected a misconfigured Azure Blob Storage maintained by Microsoft containing sensitive data from a high-profile cloud provider," SOCRadar said.

The threat intel company added that, from its analysis, the leaked data "includes Proof-of-Execution (PoE) and Statement of Work (SoW) documents, user information, product orders/offers, project details, PII (Personally Identifiable Information) data, and documents that may reveal intellectual property."

Microsoft added today that it believes SOCRadar "greatly exaggerated the scope of this issue" and "the numbers."

Furthermore, Redmond said that SOCRadar's decision to collect the data and make it searchable using a dedicated search portal "is not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk."

According to a Microsoft 365 Admin Center alert regarding this data breach published on October 4, 2022, Microsoft is "unable to provide the specific affected data from this issue."

The company's support team also reportedly told customers who reached out that it would not notify data regulators because "no other notifications are required under GDPR" besides those sent to impacted customers.

The exposed data includes, for example, emails from US .gov, talking about O365 projects, money etc - I found this not via SOCRadar, it's cached.

A post in M365 Admin Center, ignoring regulators and telling acct managers to blow off customers ain't going to cut it.

— Kevin Beaumont (@GossiTheDog) October 20, 2022

Online tool to search the leaked data

SOCRadar's data leak search portal is named BlueBleed and it allows companies to find if their sensitive info was also exposed with the leaked data.

Besides what was found inside Microsoft's misconfigured server, BlueBleed also allows searching for data collected from five other public storage buckets.

In Microsoft's server alone, SOCRadar claims to have found 2.4 TB of data containing sensitive information, with more than 335,000 emails, 133,000 projects, and 548,000 exposed users discovered while analyzing the leaked files until now.

Per SOCRadar's analysis, these files contain customer emails, SOW documents, product offers, POC (Proof of Concept) works, partner ecosystem details, invoices, project details, customer product price list, POE documents, product orders, signed customer documents, internal comments for customers, sales strategies, and customer asset documents.

"Threat actors who may have accessed the bucket may use this information in different forms for extortion, blackmailing, creating social engineering tactics with the help of exposed information, or simply selling the information to the highest bidder on the dark web and Telegram channels," SOCRadar warned.

"No data was downloaded. Some of the data were crawled by our engine, but as we promised to Microsoft, no data has been shared so far, and all this crawled data was deleted from our systems," SOCRadar VP of Research and CISO Ensar Şeker told BleepingComputer.

"We redirect all our customers to MSRC if they want to see the original data. Search can be done via metadata (company name, domain name, and email). Due to persistent pressure from Microsoft, we even have to take down our query page today.

"On this query page, companies can see whether their data is published anonymously in any open buckets. You can think of it like a B2B version of haveIbeenpwned. The leaked data does not belong to us, so we keep no data at all.

"We are highly disappointed about MSRC’s comments and accusations after all the cooperation and support provided by us that absolutely prevented the global cyber disaster."

Update October 19, 14:44 EDT: Added more info on SOCRadar's BlueBleed portal.

Update October 20,  08:15 EDT: Added SOCRadar statement and info on a notification pushed by Microsoft through the M365 admin center on October 4th.