Microsoft leaked business transaction data on more than 65K prospective customers via misconfigured Azure storage bucket, threat intel vendor claims

Misconfigured and insecure cloud storage buckets—particularly AWS S3 buckets—pose a major data leak risk for organizations. In recent years hundreds of companies have had sensitive data exposed via this vector [292 words].

What: Threat intelligence firm SOCRadar on Wednesday claimed that its researchers had discovered sensitive business transaction data belonging to over 65,000 entities from 111 countries sitting exposed in a misconfigured Azure Blob Storage bucket maintained by Microsoft. SOCRadar described the data it discovered as including more than 335,000 emails, 548,000 users and 133,000 projects. Data exposed included statement-of-work documents, proof-of-execution documents, invoices, product offers and orders, project details, proof -of-concept projects, signed customer documents and personally identifiable information.

SOCRadar claimed the leak was the largest of several it had uncovered while investigating incidents of information exposure via misconfigured and/or poorly secured cloud storage buckets.

How Microsoft has responded: Microsoft acknowledged that a “misconfigured Microsoft endpoint” might have potentially put some business transaction data at risk of illegal access. The company described the data as corresponding to interactions between the company and prospective customers. Microsoft said that it has “quickly secured” the misconfigured endpoint when SOCRadar informed the company about the issue on Sept. 24. “The issue was caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability,” Microsoft said while adding that it would improve processes to prevent similar lapses in future.

Microsoft thanked SOCRadar for bringing the issue to its notice but then proceeded to blast it for allegedly exaggerating the details.

The details

SOCRadar’s report

Microsoft’s response