Microsoft data breach: what we know so far

The global IT giant exposed thousands of users' data, but kept victims in the dark.
10 December 2022
Getting your Trinity Audio player ready...

After SCORadar flagged a Microsoft data breach at the end of October, the company confirmed that a server misconfiguration had caused 65,000+ companies’ data to be leaked. A security lapse left an Azure endpoint available for unauthenticated access in the incident, termed “BlueBleed.”

In a statement about the scale of the leak, it was revealed that security researchers at SOCRadar informed Microsoft of the leak on September 24. Although the “investigation found no indication customer accounts or systems were compromised,” information regarding customer names, email addresses, email content, company names, and phone numbers were included in the data that could have been accessed without authentication.

SOCRadar’s report suggests that this Microsoft data breach can be considered one of the most significant B2B leaks of recent years, but Microsoft disputes the severity of the incident. The Windows creator argues that the report “greatly exaggerated” the reach of the problem since the data used by SCORadar contains “multiple references to the same emails, projects, and users.”

Insisting that the issue isn’t serious, Microsoft requested that the cybersecurity vendor temporarily suspend all BlueBleed queries in the Threat Hunting module offered to SCORadar customers.

In a now-deleted tweet, security researcher Kevin Beaumont said: “Microsoft being unable (read: refusing) to tell customers what data was taken and apparently not notifying regulators – a legal requirement – has the hallmarks of a major botched response. I hope it isn’t.”

Microsoft did not break news of the leak, only confirmed almost a month after it had been flagged. It stated that it focused its attention on directly notifying customers that its investigations had flagged as being impacted by the leak, starting on October 4.

The severity of the Microsoft data breach

It is perhaps not so shocking that a data exposure can be caused by a misconfiguration by a Microsoft staffer (the probable cause), but the slow response from the company is concerning. As well as suggesting that SCORadar miscounted and exaggerated the numbers impacted by the problem, the type of data leaked has been arguably trivialized by the party at fault, in this case, Microsoft.

Erich Kron told The Hacker News, “While some of the data that may have been accessed seems trivial, if SOCRadar is correct in what was exposed, it could include some sensitive information about the infrastructure and network configuration of potential customers.”

Responding to the Microsoft data breach, the company seems to have gone on the defensive against the wrong people. Although it “appreciate[s]” being informed about the misconfigured endpoint, the company certainly does not refer to SCORadar positively in its report on the leak.

The incident undermines the inherent trust customers place in the services provided by hyperscalers. Despite being household names, human error in configuration setups can expose many thousands of details that could easily be used maliciously.

The relationship between large cloud providers and security companies has its more positive sides in the bug bounties on more-or-less permanent offer: find security holes and win money. In this case, no bounty was involved, but the fact that Microsoft did not step forward and release details of the incident proactively devalues its reputation. Questioning the numbers posited by SOCRadar and downplaying the importance of the exposed data exacerbates the tarnishing of its reputation.