Microsoft data breach exposes customers’ contact info, emails


Microsoft said today that some of its customers’ sensitive information was exposed by a misconfigured Microsoft server accessible over the Internet.

The company secured the server after being notified of the leak on September 24, 2022 by security researchers at threat intelligence firm SOCRadar.

“This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services,” the company revealed.

“Our investigation found no indication customer accounts or systems were compromised. We have directly notified the affected customers.”

According to Microsoft, the exposed information includes names, email addresses, email content, company name, and phone numbers, as well as files linked to business between affected customers and Microsoft or an authorized Microsoft partner.

Redmond added that the leak was caused by the “unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem” and not due to a security vulnerability.

Leaked data allegedly linked to 65,000 entities worldwide

While Microsoft refrained from providing any additional details regarding this data leak, SOCRadar revealed in a blog post published today that the data was stored on misconfigured Azure Blob Storage.

In total, SOCRadar claims it was able to link this sensitive information to more than 65,000 entities from 111 countries stored in files dated from 2017 to August 2022.

“On September 24, 2022, SOCRadar’s built-in Cloud Security Module detected a misconfigured Azure Blob Storage maintained by Microsoft containing sensitive data from a high-profile cloud provider,” SOCRadar said.

The threat intel company added that, from its analysis, the leaked data “includes Proof-of-Execution (PoE) and Statement of Work (SoW) documents, user information, product orders/offers, project details, PII (Personally Identifiable Information) data, and documents that may reveal intellectual property.”

Microsoft added today that it believes SOCRadar “greatly exaggerated the scope of this issue” and “the numbers.”

Furthermore, Redmond said that SOCRadar’s decision to collect the data and make it searchable using a dedicated search portal “is not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk.”

According to a Microsoft 365 Admin Center alert regarding this data breach published on October 4, 2022, Microsoft is “unable to provide the specific affected data from this issue.”

The company’s support team also reportedly told customers who reached out that it would not notify data regulators because “no other notifications are required under GDPR” besides those sent to impacted customers.

Online tool to search the leaked data

SOCRadar’s data leak search portal is named BlueBleed and it allows companies to find if their sensitive info was also exposed with the leaked data.

Besides what was found inside Microsoft’s misconfigured server, BlueBleed also allows searching for data collected from five other public storage buckets.

In Microsoft’s server alone, SOCRadar claims to have found 2.4 TB of data containing sensitive information, with more than 335,000 emails, 133,000 projects, and 548,000 exposed users discovered while analyzing the leaked files until now.

Per SOCRadar’s analysis, these files contain customer emails, SOW documents, product offers, POC (Proof of Concept) works, partner ecosystem details, invoices, project details, customer product price list, POE documents, product orders, signed customer documents, internal comments for customers, sales strategies, and customer asset documents.

“Threat actors who may have accessed the bucket may use this information in different forms for extortion, blackmailing, creating social engineering tactics with the help of exposed information, or simply selling the information to the highest bidder on the dark web and Telegram channels,” SOCRadar warned.

BlueBleed search portalBlueBleed search portal

“No data was downloaded. Some of the data were crawled by our engine, but as we promised to Microsoft, no data has been shared so far, and all this crawled data was deleted from our systems,” SOCRadar VP of Research and CISO Ensar Şeker told BleepingComputer.

“We redirect all our customers to MSRC if they want to see the original data. Search can be done via metadata (company name, domain name, and email). Due to persistent pressure from Microsoft, we even have to take down our query page today.

“On this query page, companies can see whether their data is published anonymously in any open buckets. You can think of it like a B2B version of haveIbeenpwned. The leaked data does not belong to us, so we keep no data at all.

“We are highly disappointed about MSRC’s comments and accusations after all the cooperation and support provided by us that absolutely prevented the global cyber disaster.”

Update October 19, 14:44 EDT: Added more info on SOCRadar’s BlueBleed portal.

Update October 20,  08:15 EDT: Added SOCRadar statement and info on a notification pushed by Microsoft through the M365 admin center on October 4th.


  • SurfingCISO Photo SurfingCISO – 3 days ago

    Hey Sergiu, do you have a CVE for this so I can read further on the exposure?

  • serghei Photo serghei – 3 days ago

    Not really. From the article:

    > Redmond added that the leak was caused by the “unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem” and *not due to a security vulnerability.*

  • BlueCollarCritic Photo BlueCollarCritic – 3 days ago

    “We are highly disappointed about MSRC’s comments and accusations after all the cooperation and support provided by us that absolutely prevented the global cyber disaster.”

    Microsoft (nor does any other cloud vendor) like it when their perfect cloud is exposed for being not so perfect after all. Even though this was caused not by a vulnerability but by a improeprly configured instance it still shows the clouds vulnerability. I’d assume MS is telling no more than they are legally required to and even at that possibly framing the information as best as possible to downplay it all. Teh cloud is nothing more than a tool, not the be all end all digital savior that it’s marketed as and that many believe it to be. One day companies are going to figure out just how bad a decision it was t move everything to and become dependent on a cloud.

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.1 2M+ Downloads

  • Malwarebytes Anti-Malware Logo

    Malwarebytes Anti-Malware

    Version: 4.5.12 4M+ Downloads

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 21,479 Downloads

  • Zemana AntiLogger Free Logo

    Zemana AntiLogger Free

    Version: 51,569 Downloads

  • Zemana AntiMalware Logo

    Zemana AntiMalware

    Version: NA 303,186 Downloads


Related posts

Android Minecraft clones with 35M downloads infect users with adware

Sarah Henriquez

ScanSource says ransomware attack behind multi-day outages

Sarah Henriquez

Hatch Bank discloses data breach after GoAnywhere MFT hack

Sarah Henriquez

Leave a Comment