Threat intelligence firm SOCRadar reported that a Microsoft customer data breach affected hundreds of thousands of users from thousands of entities worldwide.
Dubbed BlueBleed Part 1, the Microsoft data leak exposed at least 2.4 terabytes of sensitive data belonging to 65,000 entities in 111 countries. SOCRadar said the data leak originated from a misconfigured Azure Blob Storage maintained by Microsoft with a high-profile cloud provider’s sensitive data.
Describing the incident as the “most significant B2B leaks” in recent cybersecurity history, SOCRadar warned that the breach could reveal intellectual property and lead to extortion, blackmail, and social engineering attacks.
Microsoft’s customer data breach exposed hundreds of thousands of users
SOCRadar reported that the BlueBleed Part I data breach contains more than 335,000 emails, 133,000 projects, and 548,000 users.
The leaked data included names, email addresses, phone numbers, email contents including .eml files, signed customer documents, user information, product orders, offers, project details, invoices, POE (Proof-of-Execution) and SOW (Statement of Work) documents. Other details include customer product price list, customer stocks, internal comments for customers (e.g., high risk etc.), sales strategies, customer asset documents, and partner ecosystem details.
Upon discovery, SOCRadar sent notifications to impacted customers and notified Microsoft, which immediately fixed the configuration flaw. Additionally, the company created a search tool similar to “Have I been Pwned” to allow organizations to determine if their customer data was exposed.
SOCRadar also deleted the data at Microsoft’s request but collected metadata, including the company name, email, and domain name to allow customers to use the search tool. However, the company could not predict how long the customer data was exposed or if any malicious actor had accessed the information.
Nevertheless, Microsoft said there was “no indication customer accounts or systems were compromised” due to the data breach.
According to a cybersecurity researcher and Microsoft’s ex-employee, Kevin Beaumont, the exposure contained data from 2014 onwards and was publicly indexed by search engines for months and listed on Grayhat Warfare’s database. Beaumont added that leaked customer data included emails from .gov domains and information about 365 projects and critical national infrastructure (CNI). The former Microsoft researcher also explained that Microsoft had backed up its SQL database to an open bucket, thus exposing customer data to access by unauthenticated third parties.
SOCRadar discovered six exposed buckets, collectively named BlueBleed, affecting 150,000 companies from 123 countries. However, only Part 1 was maintained by Microsoft.
“While some of the data that may have been accessed seems trivial, if SOCRadar is correct in what was exposed, it could include some sensitive information about the infrastructure and network configuration of potential customers,” said Erich Kron, Security Awareness Advocate at KnowBe4. “This information could be valuable to potential attackers who may be looking for vulnerabilities within one of these organizations’ networks.”
According to Amit Shaked, CEO and co-founder of Laminar, the data breach was a reminder of the most important question that business leaders should be asking: “where is our sensitive data?”
Shaked advised organizations have complete observability of their sensitive customer data to safeguard against most modern cyber threats, “With monitoring and control of valuable data, enterprises will have the clarity they need to keep-up with today’s fast-paced, cloud environment.”
Microsoft accused SOCRAdar of exaggerating the customer data breach
Microsoft acknowledged that it received information about a misconfigured endpoint which it quickly secured by enabling authentication and notifying the impacted customers.
The company also explained that “the issue” originated from “an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability.”
Additionally, Microsoft lashed out at SOCRadar in a fiery statement posted on the MSRC blog, claiming that the threat intelligence firm had “greatly exaggerated the scope of this issue.”
The tech giant added that an analysis of the business transaction data set shows duplicate information with multiple references to the same emails, projects, and users.
“Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users. We take this issue very seriously and are disappointed that SOCRadar exaggerated the numbers involved in this issue even after we highlighted their error.”
However, SOCRadar explained that the alleged duplicates were customer details from different branches of the same organization, with different infrastructure, financial operations, and leadership.
Microsoft also reprimanded SOCRadar for publicly releasing a search tool, claiming it was “not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk.”
However, SOCRadar asserted that the BlueBleed search tool did not endanger the data breach victims, firing back at Microsoft.
Describing Microsoft’s reaction as a “Botched Response,” Beaumont suggested that Microsoft was unable or unwilling to notify customers and regulators. He advised Microsoft to change the tactic of putting out blog posts “blaming finders,” claiming that the “rabbit is out of the bag.”