Microsoft is annoyed with security firm that discovered misconfigured server exposing sensitive customer data
Microsoft has admitted that the sensitive data of thousands of customers was exposed last month because of a "misconfigured Microsoft endpoint". The data includes names, email addresses, the content of emails and attachments related to business between a customer and Microsoft or an authorized Microsoft partner.
Security researchers from SOCRadar notified Microsoft about the server misconfiguration back on September 24. The data exposure is part of a series of leaks from public data buckets which the security firm has dubbed BlueBleed. It is described as "one of the largest B2B leaks in recent years" and affects thousands of individuals and companies across over 100 countries. Microsoft has addressed the misconfiguration, but the company is not happy with SOCRadar.
- Leak suggests Microsoft going to borrow design ideas from macOS for Windows 12
- How to disable File Explorer tabs in Windows 11
- Microsoft releases out-of-band KB5020387 update to fix TLS handshake issues in Windows 11
In a message posted in the Microsoft Security Response Center, Microsoft says: "Security researchers at SOCRadar informed Microsoft on September 24, 2022, of a misconfigured Microsoft endpoint. This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services."
The company goes on to say:
Upon being notified of the misconfiguration, the endpoint was quickly secured and is now only accessible with required authentication. Our investigation found no indication customer accounts or systems were compromised. We have directly notified the affected customers.
Microsoft blames the issue on "an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem", stressing that it "was not the result of a security vulnerability".
In a post of its own, SOCRadar says:
SOCRadar has detected that sensitive data of 65,000 entities became public because of a misconfigured server. The leak includes Proof-of-Execution (PoE) and Statement of Work (SoW) documents, user information, product orders/offers, project details, PII (Personally Identifiable Information) data, and documents that may reveal intellectual property.
SOCRadar’s built-in Cloud Security Module monitors public buckets to detect any information exposure of customer data. Among many discovered public buckets, six large ones contained information for more than 150,000 companies in 123 different countries. The leaks are collectively dubbed BlueBleed by SOCRadar to better track the intelligence around it. While this article covers the largest one of the BlueBleed leaks (BlueBleed Part I), we will publish our analysis for other buckets owned by different organizations as we complete our investigation on them.
Although Microsoft expressed gratitude to the security firm for drawing its attention to the issue, the company is also unhappy with a couple of things.
We appreciate SOCRadar informing us about the misconfigured endpoint, but after reviewing their blog post, we first want to note that SOCRadar has greatly exaggerated the scope of this issue. Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users. We take this issue very seriously and are disappointed that SOCRadar exaggerated the numbers involved in this issue even after we highlighted their error.
More importantly, we are disappointed that SOCRadar has chosen to release publicly a "search tool" that is not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk.