Microsoft confirms data leak caused by misconfiguration

Microsoft Wednesday confirmed that a "misconfigured endpoint" was responsible for the exposure and leak of Microsoft customer data.

The tech giant disclosed the leak via a Microsoft Security Response Center (MSRC) advisory after threat intelligence vendor SOCRadar published a blog post Wednesday claiming that the data of "65,000+ entities in 111 countries" was exposed to the world thanks to a misconfigured Azure Blob Storage instance. However, Microsoft said this figure was "greatly exaggerated."

In its post, SOCRadar wrote that the Microsoft leak only represents one of six large buckets the threat intelligence vendor recently discovered, in total representing 150,000 companies in 123 different countries. SOCRadar cumulatively refers to this leak as "BlueBleed." Microsoft, at 65,000 entities leaked, is the largest of the six, according to SOCRadar. The other five haven't been disclosed.

Microsoft said the data leaked primarily included business transaction data involving interactions between Microsoft and prospective customers, and that the leak was locked down quickly.

"Upon being notified of the misconfiguration, the endpoint was quickly secured and is now only accessible with required authentication," the MSRC post read. "Our investigation found no indication customer accounts or systems were compromised. We have directly notified the affected customers."

The MSRC post doesn't reference Azure Blob Storage directly. It did, however, corroborate other details such as personal data being exposed in the leaks. The aforementioned business transaction data included "names, email addresses, email content, company name, and phone numbers, and may have included attached files relating to business between a customer and Microsoft or an authorized Microsoft partner."

Microsoft added that the leak was the result of an unintentional misconfiguration "on an endpoint that is not in use across the Microsoft ecosystem," and not from a security vulnerability.

Microsoft's advisory also includes direct criticism of SOCRadar's reporting of the leak.

"We appreciate SOCRadar informing us about the misconfigured endpoint, but after reviewing their blog post, we first want to note that SOCRadar has greatly exaggerated the scope of this issue. Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users," the advisory read. "We take this issue very seriously and are disappointed that SOCRadar exaggerated the numbers involved in this issue even after we highlighted their error."

Moreover, Microsoft criticized a search tool launched by SOCRadar that claims to tell customers if their data is exposed based on domain name. However, any user accessing the search tool can search any domain -- amazon.com was detected on the tool, for example -- which Microsoft criticized.

"We are disappointed that SOCRadar has chosen to release publicly a 'search tool' that is not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk," the post read. "We recommend that any security company that wants to provide a similar tool follow basic measures to enable data protection and privacy."

Examples provided by Microsoft included a reasonable verification system, data minimization principles and to not surface data for one customer that may belong to another.

TechTarget Editorial has contacted both Microsoft and SOCRadar for more information. SOCRadar did not response at press time; Microsoft declined to comment further.

UPDATE 10/21: SOCRadar published a follow-up blog post Thursday responding to Microsoft's criticism. The threat intelligence company said that it temporarily suspended any BlueBleed queries in its Threat Hunting Module, per Microsoft's request. However, SOCRadar disputed the Microsoft's claim that it had exaggerated the scope of the leak and that its BlueBleed Search Engine posed a risk to Microsoft customers.

"To be more precise, what poses a greater threat is maintaining sensitive data of organizations in a public bucket," the company said in the blog post.

SOCRadar CISO and vice president of research Ensar Şeker told TechTarget Editorial in an email that not all of the supposed duplicates were strictly duplicates -- some appeared to be distinct parts of a larger enterprise.

"Some of the files Microsoft is claiming are duplicates were actually exposed data for different branches of the same multinational business," he said. "In many cases, these organizations appear to have separate leadership, financial accounts and IT architectures. We believe those are different entities, but according to Microsoft, those are not different entities, those are all one account."

Şeker said also SOCRadar keeps no actual data and that the search tool operates similarly to data breach tool Have I Been Pwned.

"We prepared a query page to inform the companies affected by this and similar data leaks. On this query page, companies can see whether their data is published anonymously in any open buckets," Şeker said. "You can think of it like a B2B version of Have I Been Pwned. The leaked data does not belong to us, so we keep no data at all. At the moment, all these misconfigured buckets are safe, secure, and protected because of us. We share no data with anyone, we only inform the public about the incident to prevent future leaks and to raise awareness."

Alexander Culafi is a writer, journalist and podcaster based in Boston.