Hundreds of Microsoft customers awoke yesterday to find hundreds of Azure invoices of other customers in their inbox. Each customer was emailed not only their own invoice, but scores of bills intended for others.
The Microsoft reseller who alerted us woke yesterday morning to find 187 emails in his inbox, all sent in the small hours of the morning.
One of 187 emails received by a Microsoft partner
Each email contained an attached invoice showing the customer details, order number, and the Azure subscription ID to which the invoice applied.
An Azure in Open invoice as attached to each email
The invoices related to Azure in Open, a licensing scheme whereby cloud resellers/ integrators purchase Azure credits which are then applied to customer accounts, enabling them to make a small profit on the deal.
What appears to have happened is that Microsoft's invoicing system for a certain number of Azure in Open partners sent all 187 invoices to every customer, rather than one to each. Typically, these invoices are for small amounts as this is a scheme aimed at smaller customers.
Although not an immediate security risk, the data breach is an embarrassment for Microsoft and might give someone clues about who to call in search of more business, or email addresses that might be particularly vulnerable to Azure-related phishing attacks.
Microsoft has since emailed the businesses affected, saying: "[A]n invoice associated with your Azure in Open (AiO) subscription was inadvertently shared with another customer because of an operational change with the invoicing system," adding: "You may have also incorrectly received invoices of other AiO customers."
It said its engineers had mended an invoice generation and distribution snafu and asked recipients to delete any invoices belonging to other people they had been sent. Well, quite. ®