Misconfigured Azure Blob Storage Exposed the Data of 65K Companies and 548K Users


On Wednesday, October 19th, Microsoft confirmed that it accidentally exposed an Azure Blob Storage that contained sensitive data records of its customers. There is no indication of any unauthorized access to the data through the misconfiguration.

The misconfigured bucket was discovered by Extended Threat Intelligence (XTI) services provider SOCRadar on September 24, 2022, who alerted Microsoft on the same day. The tech giant later confirmed that the exposed data included names, email addresses, email content, company name, and phone numbers and “may have included attached files relating to business between a customer and Microsoft or an authorized Microsoft partner.”

Microsoft didn’t mention exactly how many data records were exposed. According to SOCRadar’s assessmentOpens a new window , the exposed server stored 2.4 terabytes of data from 65,000 companies based in 111 countries, including 335,000 emails, 133,000 projects, and 548,000 exposed users.

File types that were exposed were Proof-of-Execution (PoE) documents, statement of work (SoW) documents,  invoices, product orders, product offers, project details, signed customer documents, proofs of concept works, customer emails (as well as .EML files), customer product price lists and customer stocks, internal comments for customers, sales strategies, customer asset documents, and partner ecosystem details.

“The amount and scale of the leaked data make it the most significant B2B data leak in the recent history of cybersecurity,” SOCRadar wrote in a blog post. The company apprised its own customers who were affected and provided a search toolOpens a new window for anyone to see if their data is among any of the six storage buckets (including Microsoft’s) that were exposed via misconfigurations.

Microsoft said it is also notifying impacted customers and added, “We appreciate SOCRadar informing us about the misconfigured endpoint, but after reviewing their blog post, we first want to note that SOCRadar has greatly exaggerated the scope of this issue.”

See More: Toyota Suffers Data Breach from “Mistakenly” Exposed Access Key on GitHub

Erich Kron, a security awareness advocate at KnowBe4, explained the risks associated with inadvertently exposed data to Spiceworks. “While some of the data that may have been accessed seem trivial, if SOCRadar is correct in what was exposed, it could include some sensitive information about the infrastructure and network configuration of potential customers,” Kron said.

“This information could be valuable to potential attackers who may be looking for vulnerabilities within one of these organizations’ networks.”

Cloud is rapidly becoming a technology mainstay in organizations. According to Web Tribunal, data stored in cloud data centers will exceed 100 Zettabytes by 2025Opens a new window . Gartner also estimates that by 2025, 51% of IT spendingOpens a new window in application software, infrastructure software, business process services and system infrastructure markets will have shifted from traditional solutions to the public cloud.

Kron added, “While cloud services can be very convenient and if secured properly, also very secure, when a misconfiguration occurs, the information can be exposed to many more potential people compared to traditional internal on-premise systems.”

According to IBM’s X-Force Threat Intelligence Index 2022, misconfigurations (specifically API-related) caused nearly two-thirdsOpens a new window of observed incidents in 2021. Going back a bit further, DivvyCloud said an estimated 33.4 billion recordsOpens a new window were exposed due to cloud misconfigurations between 2018 and 2019.

“This is simply something organizations that are hosting applications and data in any of the various cloud platforms need to understand. Policies related to double checking configuration changes, or having them confirmed by another person, is not a bad idea when the outcome could lead to the exposure of sensitive data,” Kron concluded.

Unfortunately, humans tend to make mistakes. “As long as humans are involved in the configuration of such data buckets, we’ll continue to see leaks,” Chris Hauk, consumer privacy advocate at Pixel Privacy, told Spiceworks.

Microsoft secured the misconfigured storage bucket the same day it was alerted by SOCRadar. The company said they have no evidence that customer accounts or systems were compromised.

“Although Microsoft hasn’t stated outright that the exposed data was actually stolen, our honeypot studies show misconfigured servers like these can be found and attacked within a matter of hours,” Paul Bischoff, consumer privacy advocate at Comparitech, told Spiceworks.

“Microsoft business customers and partners who were affected by the leak should be on the lookout for targeted phishing emails and text messages. Given that the parties involved are high-level employees, they are lucrative targets for CEO fraud and business email compromise.”

Redmond also expressedOpens a new window disappointment at the prospect of SOCRadar publicly releasing the search tool stating it could hamper privacy and bring security risks, and suggested a few pointers.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Image source: Shutterstock