Skip to content

Microsoft Data Breach Exposes Customers’ Contact Info, Emails (BlueBleed)

Some of Microsoft's customers' sensitive information was exposed by a misconfigured Microsoft server accessible over the Internet. Microsoft secured the server after being notified of the leak on September 24, 2022 by security researchers at threat intelligence firm SOCRadar.

"This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services," the company revealed. "Our investigation found no indication customer accounts or systems were compromised. We have directly notified the affected customers."

Microsoft revealed the exposed information included names, email addresses, email content, company name, phone numbers, and files linked to Microsoft and an authorized partner. The leak was the result of an unintentional misconfiguration on an endpoint used across the Microsoft ecosystem, and was not the result of a security vulnerability.

According to SOCRadar, the data leak contained sensitive information for more than 65,000 entities from 111 countries, and was dated between 2017 and August 2022. The leak was the result of a misconfiguration on Azure Blob Storage.

The threat intel company added that the leaked data "includes Proof-of-Execution (PoE) and Statement of Work (SoW) documents, user information, product orders/offers, project details, PII (Personally Identifiable Information) data, and documents that may reveal intellectual property."

Analyst comments:
Microsoft responded to SOCRadar’s blog post, claiming that the researchers “greatly exaggerated the scope of the issue and the numbers. Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users. We take this issue very seriously and are disappointed that SOCRadar exaggerated the numbers involved in this issue even after we highlighted their error.”

SOCRadar released a data leak search portal called BlueBleed, where companies can search for sensitive information that may have resided on the public storage buckets.

In Microsoft's server alone, SOCRadar claims to have found 2.4 TB of data containing sensitive information, with more than 335,000 emails, 133,000 projects, and 548,000 exposed users discovered while analyzing the leaked files until now. Per SOCRadar's analysis, these files contain customer emails, SOW documents, product offers, POC (Proof of Concept) works, partner ecosystem details, invoices, project details, customer product price list, POE documents, product orders, signed customer documents, internal comments for customers, sales strategies, and customer asset documents.

If a threat actor accessed the bucket, they could use the data for various forms of extortion, including blackmail, social engineering attacks, or they could simply sell the information on the dark web or through telegram channels.

Microsoft has pushed back on SOCRadar’s search page, saying “it is not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk.”

Mitigation tips:
At your own risk, Users can use the BlueBleed website to check if their data was potentially leaked as a result of this misconfiguration. https://socradar.io/labs/bluebleed

Sources:
https://msrc-blog.microsoft.com/202...g-misconfigured-microsoft-storage-location-2/
https://www.bleepingcomputer.com/ne...breach-exposes-customers-contact-info-emails/

ThreatAdvice Breach Prevention Platform