Highlights:

  • Microsoft’s investigation showed no signs that accounts or systems were compromised, but customers who might have been affected were notified.
  • Security researchers at SOCRadar Cyber Intelligence Inc detected the breach on September 24.

Microsoft Corp. confirmed today the details of a server misconfiguration in September that might have put the information of some potential customers at risk.

According to a post from the Microsoft Security Response Center today, the breach pertained to a Microsoft endpoint that was not set up correctly. Security researchers at SOCRadar Cyber Intelligence Inc detected the breach on September 24. The misconfiguration paved the way for unauthenticated access to some business transaction data related to interactions between Microsoft and potential customers, such as planning or possible implementation and provision of Microsoft services.

When notified about the misconfiguration, the endpoint was secured. Microsoft’s investigation showed no signs that accounts or systems were compromised, but customers who might have been affected were notified.

Exposed data included names, email addresses, email content, company names, phone numbers, and possibly files attached to emails about business between a customer and Microsoft or an authorized Microsoft partner. The mistaken misconfiguration happened on an endpoint that wasn’t used anywhere else in the Microsoft ecosystem and wasn’t the result of a security vulnerability.

Microsoft did not comment on how many potential customers were exposed by the misconfiguration, but in a separate post, SOCRadar, which calls the exposure “BlueBleed,” says the number is more than 65,000. The SOCRadar researchers also say that the data leaking on the Azure Blob Storage instance totalled 2.4 terabytes and included proof-of-execution and statement-of-work documents, including some that may have revealed intellectual property.

Erich Kron, an advocate for security awareness at the company KnowBe4 Inc., teaches people about security told in an interview, “While some of the data that may have been accessed seem trivial, if SOCRadar is correct in what was exposed, it could include some sensitive information about the infrastructure and network configuration of potential customers.”

The advocate for security awareness added, “this information could be valuable to potential attackers who may be looking for vulnerabilities within one of these organizations’ networks.”

Kron pointed out that even though cloud services can be very convenient and, if they are secured appropriately, also very safe, when something goes wrong, the information can be seen by many more people than on traditional internal systems kept on-site.

Kron also added, “this is simply something organizations that are hosting applications and data in any of the various cloud platforms need to understand.” The advocate also said, “policies related to double checking configuration changes, or having them confirmed by another person, is not a bad idea when the outcome could lead to the exposure of sensitive data.”