Previous
Learn how PurpleSec’s experts can protect your business against the latest cyber attacks.
Author: Eva Georgieva / Last Updated: 10/26/2022
Reviewed By: Dalibor Gašić, & Michael Swanagan, CISSP, CISA, CISM
View Our: Editorial Process
Table Of Contents
Misconfiguration of an endpoint caused a leakage of 2.4 TB of data of Microsoft’s customers.
The issue stemmed from a misconfigured Azure Blob Storage and was spotted on September 24, 2022, by the security company SOC Radar.
According to the SOCRadar statement, the data leaked was stored on a misconfigured Azure Blob Storage and the impact spanned 65,000 entities from 111 countries.
Customer data was the entity that suffered in this Microsoft data leak, which included:
In addition, attached files relating to business between a customer and Microsoft or an authorized Microsoft partner were also exposed.
Per their statement, the exposed data is dated from 2017 to August 2022.
Researchers stated that the bucket was publicly indexed for months and it actively appeared in search engines.
The researchers named the leak “BlueBleed” referring to the exposed sensitive data from six misconfigured buckets.
SOCRadar even set up a website called BlueBleed where users can check if their data has been exposed.
From the official SOCRadar website it is clearly stated that the term “BlueBleed” was created by Can Yoleri, who is a Threat and Vulnerability Researcher at SOCRadar.
The term refers to the sensitive information leaked by six misconfigured buckets collectively.
In their blog post, it is clearly elaborated how they discovered BlueBleed Part I as it is referred to.
The issue they stated was clearly a misconfigured public bucket where they stored 2.4 TB of data inside one single bucket.
By their estimation, it can be considered maybe one of the most significant B2B leaks, considering the scope of it.
Third parties or threat actors that might have had access to the bucket can use this information in different ways.
The first and most obvious one is scraping the email addresses for targeting the companies affected by the breach utilizing social engineering techniques, however blackmailing and selling the information on the dark web or Telegram channels are also viable options.
Besides that, SOC Radar also stated that the information exposed included information about network configuration and infrastructure posture of potential customers.
This opens another vector of attack, where researchers or threat actors might start looking for vulnerabilities in those systems and network configurations based on the information from the exposed data.
Microsoft in their statement elaborated that they do appreciate that SOCRadar informed them about the issue, however, following SOCRadar’s blog post Microsoft stated that the security company has greatly exaggerated the scope.
Based on Microsoft Security Response Center’s in-depth analysis and investigation they were able to conclude that a lot of the data that was exposed was duplicate information with multiple references to the same projects, email addresses and users.
They also expressed their disappointment in SOCRadar releasing a search tool where users can check if their data is exposed, since that does not follow best security practices and may even pose an additional security risk.
In the official statement released towards the customers, Microsoft stated that they did notify every impacted customer directly and provided them with instructions on how they can further proceed to handle the incident.
Related Articles
Eva is a security engineer, researcher, and penetration tester with over 5 years of experience working on both red teams and blue teams.
Recent Attacks
Popular Articles
Ransomware Attacks
Preventing Attacks