Microsoft slams external researchers over its own data leak

Microsoft has criticised external security researchers at threat intelligence specialist SOCRadar, accusing them of needlessly exaggerating the scope of, and potential danger arising from, the exposure of Microsoft customer data that leaked from a misconfigured Azure Blob storage instance.

Microsoft was informed about the issue on 24 September, and found that the accidental misconfiguration resulted in “the potential” for unauthorised access to business transaction data relating to prospective Microsoft customers. The data included names, email addresses and contents, and company names and contact details.

Microsoft secured the misconfigured endpoint and has found no indication that any customer accounts or systems were compromised. Those impacted have all been notified.

SOCRadar claimed that the data related to more than 65,000 organisations worldwide, and said that after its team discovered the exposed Azure Blob, it then investigated a storage area in the Blob where SQL Server backups were stored, and from there established links to other Blobs, potentially compromising the sensitive data of over 100,000 organisations.

It has dubbed this collection of exposures BlueBleed, and claimed that it may be one of the most significant B2B leaks of recent years.

It initially released a BlueBleed search tool for organisations to use to find out whether they were impacted, but has since suspended that following complaints from Microsoft.

Microsoft said: “We appreciate SOCRadar informing us about the misconfigured endpoint, but after reviewing their blog post, we first want to note that SOCRadar has greatly exaggerated the scope of this issue.

“Our in-depth investigation and analysis of the dataset shows duplicate information, with multiple references to the same emails, projects and users. We take this issue very seriously and are disappointed that SOCRadar exaggerated the numbers involved in this issue even after we highlighted their error.

“More importantly, we are disappointed that SOCRadar has chosen to release publicly a ‘search tool’ that is not in the best interest of ensuring customer privacy or security, and potentially exposing them to unnecessary risk.”

SOCRadar said its BlueBleed search tool only showed whether or not a domain name was detected in the data dump, and did not publicly provide any other details.

“What we aim for with the BlueBleed search engine is basically an enterprise version of Have I Been Pwned, where organisations can search if their data was exposed in some of the cloud data leaks our CSM [cloud security module] has detected so far,” it said. “As a cyber threat intelligence company, we owe this to the community.

“Therefore, we do not see any ‘unnecessary risk’ that endangers customer privacy and security. To be more precise, what poses a greater threat is maintaining sensitive data of organisations in a public bucket.

“We are highly disappointed about MSRC’s comments and claims after all the cooperation and support provided by us that absolutely prevented the global cyber disaster.”

Chris Hauk, consumer privacy advocate at Pixel Privacy, commented: “Unfortunately, many of the data leaks we see these days are because of misconfigured Azure and Amazon Web Services data buckets, leading to leaks. As long as humans are involved in the configuration of such data buckets, we will continue to see leaks. Luckily, the affected customer count is relatively low.”

Comparitech’s Paul Bischoff added: “Microsoft business customers and partners who were affected by the leak should be on the lookout for targeted phishing emails and text messages. Given that the parties involved are high-level employees, they are lucrative targets for CEO fraud and business email compromise.

“Although Microsoft hasn’t stated outright that the exposed data was actually stolen, our honeypot studies show misconfigured servers like these can be found and attacked within a matter of hours.”