A misconfigured server at Microsoft has leaked corporate data from tens of thousands of companies. Microsoft emphasizes that this is a bug, not a vulnerability in the system.
The data breach was reported to Microsoft on September 24 by security company SOCRadar. According to them, the data would amount to transaction data between Microsoft and (potential) customers. These concerns are planning for possible implementations or provisioning of Microsoft services.
Specifically, names, email addresses, email content, company names, and phone numbers were public, as were files related to activities between those customers and Microsoft or a Microsoft partner. According to SOCRadar, this concerns data from 65,000 organizations in 111 countries between 2017 and August 2022, BleepingComputer writes.
SOCRadar found the server through its search portal BlueBLeed, which allows companies to search for leaked data. It claims that Microsoft’s server contained 2.4 terabytes of data containing several hundred thousand emails.
Microsoft itself tells BleepingComputer that it is an unintentional misconfiguration of an endpoint and, therefore, not a weak spot in the system. At the same time, it also criticizes the party that reported the data breach. They do not think such data is possible to be collected and searchable.
At the same time, according to Microsoft, the company would exaggerate the figures and size of the data breach, even if Microsoft did not know how large the size was.
