Microsoft discloses data breach

Microsoft exposed some of its customers’ names, email addresses, and email content, among other sensitive data.

A misconfigured Microsoft endpoint resulted in the potential for unauthenticated access to some business transaction data.

The company learned about the misconfiguration on September 24 and secured the endpoint.

“Our investigation found no indication customer accounts or systems were compromised. We have directly notified the affected customers,” Microsoft said.

The business transaction data included names, email addresses, email content, company name, and phone numbers. It might have also included attached files relating to business between a customer and Microsoft or an authorized Microsoft partner.

“The issue was caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability,” Microsoft said.

Cybersecurity company SOCRadar was the one to inform Microsoft about the misconfigured endpoint. Microsoft said SOCRadar “has greatly exaggerated the scope of this issue.”

“Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users. We take this issue very seriously and are disappointed that SOCRadar exaggerated the numbers involved in this issue even after we highlighted their error,” Microsoft said.

On October 19, SOCRadar released a blog post claiming that sensitive data of over 65,000 entities was leaked due to a single misconfigured data bucket.

“Threat actors who may have accessed the bucket may use this information in different forms for extortion, blackmailing, creating social engineering tactics with the help of exposed information, or simply selling the information to the highest bidder on the dark web and Telegram channels,” SOCRadar said.

The company also released a search tool for companies to see if their data had been leaked.

“We are disappointed that SOCRadar has chosen to release publicly a 'search tool' that is not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk,” Microsoft said.