Configuration error caused the data leak, says Microsoft

Microsoft said on Wednesday that the exposure and breach of client data at Microsoft were caused by a "misconfigured endpoint." After threat intelligence provider SOCRadar claimed in a blog post on Wednesday that the data of "65,000+ entities in 111 countries" was made public due to a poorly configured Azure Blob Storage instance, the tech giant announced the leak via a Microsoft Security Response Center (MSRC) advisory. Microsoft claimed that this number was "greatly inflated," nevertheless.

The threat intelligence firm recently uncovered six sizable buckets, totaling 150,000 companies in 123 nations, of which the Microsoft leak is just one, according to SOCRadar. This leak is referred to collectively by SOCRadar as "Blue-Bleed." The largest of the six is Microsoft, according to SOCRadar, with 65,000 entities exposed. Nothing is known about the other five. Microsoft claimed that the vulnerability was immediately patched up and that the data that was exposed was mostly related to business transactions involving communications between Microsoft and potential clients.

The endpoint was immediately secured after the MSRC was made aware of the configuration error, according to the company, and is now only reachable with the necessary authentication. No evidence of compromised systems or customer accounts was discovered throughout our examination. The impacted customers have been directly informed. The MSRC post doesn't specifically mention Azure Blob Storage. However, it did confirm other information, such as the disclosure of personal information in the breaches. In addition to names, email addresses, email content, company names, and phone numbers, the aforementioned business transaction data may have also contained files that were attached and related to transactions between a customer and Microsoft or an authorized Microsoft partner.

The breach, according to Microsoft, was caused by an unintended misconfiguration on an endpoint that is not currently in use throughout the Microsoft ecosystem, not a security flaw. The SOCRadar report on the leak is specifically criticized in Microsoft's alert as well. We are grateful that SOCRadar alerted us to the incorrectly set endpoint, however after reading their blog article, we must first point out that SOCRadar substantially overstated the severity of this problem. The data set has duplicate information, with several references to the same emails, projects, and users, according to our in-depth research and analysis of it. We are concerned that SOCRadar overstated the number of people affected by this issue even after we pointed out their error because we take this matter very seriously.

Microsoft also questioned SOCRadar's search engine, which purports to inform users if their data has been compromised based on the domain name. However, Microsoft complained that any user who accesses the search tool can search any domain; was found on the tool, for instance. We regret SOCRadar's decision to make a "search tool" available to the public since it may not be in the best interests of protecting client privacy or security and may subject them to unwarranted risk. We advise any security firm that wants to offer a comparable solution to take the very minimum precautions to ensure data confidentiality and privacy. Microsoft gave a few examples, such as using an acceptable verification mechanism, adhering to data minimization guidelines, and avoiding surfacing data for one client that may belong to another.