Threat intelligence company SOCRadar is claiming a misconfigured Microsoft server wound up exposing years of sensitive data for tens of thousands of its customers, including personally identifiable information, user data, product and project details and intellectual property.
Meanwhile, Microsoft has acknowledged the error but accused the researchers of “exaggerating” the scope of the impact.
On Wednesday SOCRadar published a blog post stating that their cloud security monitoring platform identified an exposed Azure Blob server bucket that contained sensitive, non-public data for more than 65,000 Microsoft customers across 111 countries. The company said the leak, which they are calling BlueBleed, includes proofs of concept and statements of work, personally identifiable information, intellectual property, product orders, project details and other user information.
In an interview, SOCRadar Chief Information Security Officer Ensar Seker told SC Media that the server was found by their cloud monitoring engine, which crawls the public internet for misconfigured servers and assets. Upon discovering the exposed Azure server, he said they immediately stopped crawling, sent alerts out to their customers and notified Microsoft. They also created a search tool that would allow potentially affected customers to search for metadata that would confirm they were part of the breach.
“First we informed Microsoft about this, and they said ‘you need to delete all the data,’" Seker said. "That’s what we did, and we are not analyzing any data, we’re just keeping the metadata, which is the domain name, company name and email. If any of these things are mentioned in the exposed data, we just tell the customers you are involved in the incident, that’s all."
“We shared every single piece of information from the beginning with Microsoft, and we have kept them informed at all times,” Seker added.
How bad is it? Microsoft versus SOCRadar
In a blog posted the same day, Microsoft’s Security Response center confirmed the incident, saying a misconfigured endpoint resulted in the potential for unauthorized access to certain customer data.
“The business transaction data included names, email addresses, email content, company name, and phone numbers, and may have included attached files relating to business between a customer and Microsoft or an authorized Microsoft partner,” Microsoft said Wednesday.
The server was reconfigured to make it private after notification and the dual releases were done under a coordinated vulnerability disclosure process, but Microsoft criticized SOCRadar’s characterization of the incident, saying they “have greatly exaggerated the scope of this issue.”
“Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users. We take this issue very seriously and are disappointed that SOCRadar exaggerated the numbers involved in this issue even after we highlighted their error,” the company said. “More importantly, we are disappointed that SOCRadar has chosen to release publicly a ‘search tool’ that is not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk.”
But Seker told SC Media that’s not accurate. Some of the files Microsoft is claiming are duplicates were actually exposed data for different branches of the same multinational business. In many cases, he said these organizations appear to have separate leadership, financial accounts and IT architectures.
“Those are different entities according to us, but Microsoft says no, those are not different entities, those are all one account," he said. "But when you take a look at the organizations in the hierarchy, their CEOs are different, their accounts department is different, so they can’t be one account."
Risk management for impacted customers
Meanwhile, Seker said the creation of the search tool was done to help SOCRadar customers and others identify if they were affected. Initially they began referring potentially affected parties to Microsoft for validation, but Microsoft was telling entities they were unaffected when there were clearly file names and metadata that corresponded to their business.
Seker said they deleted the exposed data at Microsoft’s request and the search tool could only access filenames, which often included the name of the affected company. After further pressure from Microsoft, they also deleted the filename metadata from the leak, and now simply offer a yes or no answer to those who provide their company domain names and ask if they are affected.
A follow up FAQ blog the company is planning to release this week compares the service to the popular “Have I been Pwned” site where users can input their email address to learn if it has been attached to a data breach.
“The Bluebleed search only shows if a domain name was detected on this leak or not and does not publicly provide any other details about the searched domain names,” reads a draft of the blog obtained by SC Media. “What we aim with the Bluebleed search engine is basically an enterprise version of Have I Been Pwned where organizations can search if their data was exposed in some of the cloud data leaks [our engine] has detected so far. As a cyber threat intelligence company, we owe this to the community.”
It’s not immediately clear how long the information was publicly exposed or how far back the data goes. Seker said it was possible the information was publicly available for years, and said that while they don’t have direct evidence the data was accessed by a malicious party, it is highly possible that someone else discovered the leaked data before SOCRadar did. Meanwhile, security researcher and former Microsoft employee Kevin Beaumont said the leak was publicly indexed on search engines for months and some of the data goes back to 2014.
Beaumont criticized Microsoft’s response to the exposure and their history of “blaming the finders” of security issues instead of being transparent and taking accountability for their mistakes.
“Microsoft being unable (read: refusing) to tell customers what data was taken and apparently not notifying regulators - a legal requirement - has the hallmarks of a major botched response,” Beaumont wrote on Twitter. “I hope it isn’t.”
The bucket was one of six servers SOCRadar found that were misconfigured in a similar way, affecting a total of 150,000 entities, but Seker told SC Media the other exposed buckets are not from Microsoft.