Skip links

BlueBleed: Microsoft customer data leak claimed to be ‘one of the largest’ in years

Microsoft has confirmed a data leak linked to a misconfigured server for a cloud storage service but is disputing the extent of the problem.

In a revelation this week, Microsoft’s Security Response Center (MSRC) said the cloud provider was notified by threat intelligence firm SOCRadar on September 24 about the misconfigured endpoint that exposed business transaction data related to interactions between Microsoft and customers.

The information included planning or potential implementation and provisioning of Microsoft services, according to MSRC. Once notified, Microsoft secured the endpoint, which now can only be accessed through required authentication.

“Our investigation found no indication customer accounts or systems were compromised,” the unit wrote. “We have directly notified the affected customers.”

However, in a report also released this week, SOCRadar researchers wrote that the misconfigured server exposed sensitive data including proof-of-execution and statement-of-work documents, user information, product offers and orders, project details, and personally identifiable information (PII).

The documents may have also revealed intellectual property, they claim.

SOCRadar said that its Cloud Security Module monitors “public buckets” to detect exposed customer data and that six large public buckets contained information from more than 150,000 companies in 123 countries. The company is collectively referring to the leaks as “BlueBleed”.

The report details the leaks found in the one of the largest public buckets – referred to as BlueBleed Part 1 – which includes a misconfigured Azure Blog Storage instance that allegedly contained information from more than 65,000 entities in 111 countries.

In all, they discovered 2.4TB of publicly available data that dated from 2017 to August this year with BlueBleed Part 1, including more than 335,000 emails, 133,000 projects, and 548,000 exposed users.

The report says the parties “who may have accessed the bucket may use this information in different forms for extortion, blackmailing, creating social engineering tactics with the help of exposed information, or simply selling the information to the highest bidder on the dark web and Telegram channels.”

“Surely this is not the first time a misconfigured server has exposed sensitive information, and it will not be the last,” Can Yoleri, vulnerability and threat researchers at SOCRadar and the primary investigator of BlueBleed, said in a statement. “However, with vital leaked data belonging to tens of thousands of entities, BlueBleed is one of the largest B2B leaks in recent years.”

Microsoft disputed SOCRadar’s description of the extent of the leak, which it said involved business transaction data like names, email address, email content, company names, and phone numbers and may also include attached files linked to business “between a customer and Microsoft or an authorized Microsoft partner.”

“After reviewing [the SOCRadar] blog post, we first want to note that SOCRadar has greatly exaggerated the scope of this issue,” MSRC wrote. “Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users. We take this issue very seriously and are disappointed that SOCRadar exaggerated the numbers involved in this issue even after we highlighted their error.”

Microsoft also criticized SOCRadar for publicly releasing a search tool that it says does not ensure customer privacy or security and could expose organizations to risk. SOCRadar said it provides a free service enterprises can use to search for their company names to determine if they are affected by any of the BlueBleed leaks.

SOCRadar researchers said misconfigured servers are among the top causes of data leaks and, pointing to the SANS 2022 Top New Attacks and Threat Report, added that data exfiltration from cloud storage is a common attack avenue.

“Threat actors constantly scan public storage buckets for sensitive data,” the researchers wrote. “They have the resources and means to automate the scanning with advanced tools. Companies should proactively monitor such cyber risks with automated security tools.”

In an email to The Register, Erich Kron, security awareness advocate for cybersecurity firm KnowBe4, said that some of the data exposed may seem trivial, but that if SOCRadar’s information is correct, “it could include some sensitive information about the infrastructure and network configuration of potential customers. This information could be valuable to potential attackers who may be looking for vulnerabilities within one of these organizations’ networks.”

Kron also said that incidents like BlueBleed illustrate that with cloud storage, such a misconfiguration can expose information from many more organizations and individuals than a similar issue with on-premises systems.

“This is simply something organizations that are hosting applications and data in any of the various cloud platforms need to understand,” he said. “Policies related to double checking configuration changes, or having them confirmed by another person, is not a bad idea when the outcome could lead to the exposure of sensitive data.” ®