Microsoft Confirmed ‘BlueBleed’ Data Leak: Customers’ Contact Info & Emails Exposed

Severity

High

Analysis Summary

Microsoft announced today that a misconfigured Microsoft server accessible through the Internet exposed some of its customers’ sensitive information.

The IT giant was notified of the data leak on September 24, 2022, by the security threat intelligence company SOCRadar.

“On September 24, 2022, SOCRadar’s built-in Cloud Security Module detected a misconfigured Azure Blob Storage maintained by Microsoft containing sensitive data from a high-profile cloud provider,” reported SOCRadar.

“This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services,” the company revealed.

On the same day of the notification, Microsoft secured the server.

“Our investigation found no indication customer accounts or systems were compromised. We have directly notified the affected customers.”

According to the IT giant, the exposed information includes names, email addresses, email content, company name, and phone numbers, as well as data related to business between impacted customers and Microsoft or a Microsoft-authorized partner.

An unintentional misconfiguration on an endpoint that is not currently in use within the Microsoft ecosystem is the main cause of the data leak. The company emphasized that the leak was not caused by a security vulnerability.

Microsoft opted not to provide any more information about this data leak, but SOCRadar disclosed in a blog post posted that the information was kept on misconfigured Azure Blob Storage which impacted more than 65,000 entities from 111 countries.

“SOCRadar has detected that sensitive data of 65,000 entities became public because of a misconfigured server. The leak includes Proof-of-Execution (PoE) and Statement of Work (SoW) documents, user information, product orders/offers, project details, PII (Personally Identifiable Information) data, and documents that may reveal intellectual property.” 

The researchers called the leak “BlueBleed,” alluding to the sensitive data exposed by six misconfigured buckets.

Also, BlueBleed, a data leak search portal named by SOCRadar, allows organizations to find out whether their data was exposed.

According to SOCRadar, the analysis of the stolen files up until this point revealed more than 335,000 emails, 133,000 projects, and 548,000 exposed users among the 2.4 TB of sensitive data that was identified on Microsoft’s server alone.

“Threat actors who may have accessed the bucket may use this information in different forms for extortion, blackmailing, creating social engineering tactics with the help of exposed information, or simply selling the information to the highest bidder on the dark web and Telegram channels,” SOCRadar warned.

Microsoft added today that it believes “the numbers” and “the magnitude of this issue” were greatly exaggerated by SOCRadar.

Additionally, Redmond said that SOCRadar’s decision to gather the information and make it accessible through a specific search site “is not in the best interest of safeguarding consumer privacy or security and potentially exposing them to needless risk.”

Microsoft condemned SOCRadar’s move to establish the search portal due to the possible impact on client security or privacy.

“More importantly, we are disappointed that SOCRadar has chosen to release publicly a “search tool” that is not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk.” Microsoft added

The company’s support service apparently told customers who contacted it that it would not tell data regulators because “no other notifications are necessary under GDPR” than those issued to impacted customers.

They added:

“We redirect all our customers to MSRC if they want to see the original data. Search can be done via metadata (company name, domain name, and email). Due to persistent pressure from Microsoft, we even have to take down our query page today.

At this point, it is unclear whether threat actors gained access to the exposed server.

Impact

• Unauthenticated Access
• Intellectual Property Disclosure
• Sensitive Information Exposure

Remediation

• If you see your company domain name as [ DETECTED ], please contact MSRC to get more information about your case.
• For more information refer to Microsoft Security Response Center