BlueBleed: Microsoft customer data leak claimed to be 'one of the largest' in years

Microsoft has confirmed one of its own misconfigured cloud systems led to customer information being exposed to the internet, though it disputes the extent of the leak.

In a revelation this week, Microsoft's Security Response Center (MSRC) said it was notified by threat intelligence firm SOCRadar on September 24 about a misconfigured endpoint that exposed business transaction data related to interactions between Microsoft and its customers.

The information included planned use or potential implementation and provisioning of Microsoft services, according to MSRC. Once notified, Microsoft secured its endpoint, which now can only be accessed through appropriate authentication. To be clear: Microsoft screwed up the configuration of a storage system in its own cloud, revealing customer information it was supposed to keep private.

"Our investigation found no indication customer accounts or systems were compromised," the security center wrote. "We have directly notified the affected customers."

In a report also out this week, SOCRadar researchers said Microsoft's misconfiguration exposed sensitive data including proof-of-execution and statement-of-work documents, user information, product offers and orders, project details, and personally identifiable information (PII).

The documents may have also revealed intellectual property, the firm claimed.

SOCRadar said it hunts down and monitors public cloud storage buckets, and found six large Microsoft-managed public buckets containing information on more than 150,000 companies in 123 countries. SOCRadar is collectively referring to the leaks as BlueBleed.

The report states that one of the largest public buckets – referred to as BlueBleed Part 1 – was a misconfigured Azure Blob Storage instance that allegedly contained information on more than 65,000 entities in 111 countries. This amounted to 2.4TB of public-facing Microsoft-owned data that dated from 2017 to August this year, including more than 335,000 emails, 133,000 projects, and 548,000 exposed users.

The report says parties "who may have accessed the bucket may use this information in different forms for extortion, blackmailing, creating social engineering tactics with the help of exposed information, or simply selling the information to the highest bidder on the dark web and Telegram channels."

"Surely this is not the first time a misconfigured server has exposed sensitive information, and it will not be the last," Can Yoleri, vulnerability and threat researchers at SOCRadar and the primary investigator of BlueBleed, said in a statement. "However, with vital leaked data belonging to tens of thousands of entities, BlueBleed is one of the largest B2B leaks in recent years."

• Tear in Microsoft Azure Service Fabric can give attackers full admin privileges
• How GitHub Copilot could steer Microsoft into a copyright storm
• Microsoft makes another round of jobs cuts amid slowing economy
• Microsoft extends Azure Hybrid benefit to some on-prem software

Microsoft disputed SOCRadar's description of the extent of the leak, which it said involved business transaction data – such as names, email address, email content, company names, and phone numbers and may also include attached files linked to business "between a customer and Microsoft or an authorized Microsoft partner."

"After reviewing [the SOCRadar] blog post, we first want to note that SOCRadar has greatly exaggerated the scope of this issue," MSRC claimed. "Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users. We take this issue very seriously and are disappointed that SOCRadar exaggerated the numbers involved in this issue even after we highlighted their error."

Microsoft also criticized SOCRadar for publicly releasing a search tool that it says does not ensure customer privacy or security and could expose organizations to risk. SOCRadar said it provides a free service enterprises can use to search for their company names to determine if they are affected by any of the BlueBleed leaks.

SOCRadar researchers said misconfigured servers are among the top causes of data leaks and, pointing to the SANS 2022 Top New Attacks and Threat Report, added that data exfiltration from cloud storage is a common attack avenue.

"Threat actors constantly scan public storage buckets for sensitive data," the researchers wrote. "They have the resources and means to automate the scanning with advanced tools. Companies should proactively monitor such cyber risks with automated security tools."

In an email to The Register, Erich Kron, security awareness advocate for cybersecurity firm KnowBe4, said that some of the data exposed may seem trivial, but that if SOCRadar's information is correct, "it could include some sensitive information about the infrastructure and network configuration of potential customers. This information could be valuable to potential attackers who may be looking for vulnerabilities within one of these organizations' networks."

Kron also said that incidents like BlueBleed illustrate that with cloud storage, such a misconfiguration can expose information from many more organizations and individuals than a similar issue with on-premises systems.

"This is simply something organizations that are hosting applications and data in any of the various cloud platforms need to understand," he said. "Policies related to double checking configuration changes, or having them confirmed by another person, is not a bad idea when the outcome could lead to the exposure of sensitive data." ®