Man looking at monitor

Microsoft breach reveals some customer data

Microsoft customers find themselves in the middle of a data breach situation. The Microsoft Security Response Center blog reports that researchers reported a misconfigured Microsoft endpoint on September 24. This miscongifuration resulted in the possibility of “unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers”.

Misconfigured servers are a major cause of unintentional data loss and unauthorised access. While the issue was apparently “quickly secured”, there are still questions as to what exactly happened and what the potential fallout could be.

Assessing the impact

The first and most important point: Microsoft sees no evidence of customer systems or accounts having been compromised, and affected customers have been “directly notified”.

As per Microsoft:

“The issue was caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability.  We are working to improve our processes to further prevent this type of misconfiguration and performing additional due diligence to investigate and ensure the security of all Microsoft endpoints.”

Of course, this isn’t the whole story and some data was unintentionally exposed. What is it, and how bad might things be as a result? Let’s hear from Microsoft again:

“The business transaction data included names, email addresses, email content, company name, and phone numbers, and may have included attached files relating to business between a customer and Microsoft or an authorised Microsoft partner.”

The numbers game

What kind of scale are we talking about here? Bleeping Computer notes that the researchers who first discovered this claim to have linked this data to “more than 65,000 entities from 111 countries”. This data supposedly ranges from 2017 to August 2022. However, Microsoft disagrees with the assessment of what’s taken place. From its writeup:

“…after reviewing their blog post, we first want to note that SOCRadar has greatly exaggerated the scope of this issue. Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users.”

Microsoft goes on to advise how to operate a searchable database of compromised data without risking further issues by locking down who, exactly, can access it. This is an ongoing situation, and some of those impacted are finding that obtaining specifics is proving to be difficult. For now, the best we can do is wait and see what other developments this one has in store for us.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.