Microsoft “BlueBleed” data breach: customer details and email content exposed

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Microsoft "BlueBleed" data breach: customer details and email content exposed

Microsoft has admitted that it accidentally exposed sensitive customer data after failing to configure a server securely.

Cybersecurity firm SOCRadar informed Microsoft about the embarrassing leak in September, which researchers claimed involved files dated from 2017 to August 2022.

The following business transaction data has been exposed:

  • names
  • email addresses
  • email content
  • company name
  • phone numbers

In addition, Microsoft warned that the exposed data may include “attached files relating to business between a customer and Microsoft or an authorized Microsoft partner.”

SOCRadar claims that the sensitive data of over 65,000 entities in 111 countries on a misconfigured Microsoft server that had been left accessible over the internet.

Sign up to our free newsletter.
Security news, advice, and tips.

SOCRadar, which has dubbed the data breach “BlueBleed”, has created a website where concerned companies can search to see if their data has been exposed.

Bluebleed

Microsoft has not shared any details about the size of the data breach, and while thanking SOCRadar for raising the alarm about the data leak, it has claimed that the researchers had “greatly exaggerated the scope of this issue”:

Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users. We take this issue very seriously and are disappointed that SOCRadar exaggerated the numbers involved in this issue even after we highlighted their error.

The public release of SOCRadar’s BlueBleed search tool seems to have particularly upset Microsoft, saying that it is “not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk.”

Microsoft argues that any security firm releasing such a tool should put in place basic measures such as verifying users before allowing them to search for data related to their domain.

Microsoft should be rightly embarrassed by its sloppy security, which has needlessly exposed the data of its customers. I suspect that most Microsoft customers will be less bothered with the quibbling over just how much data was carelessly exposed, and more worried that the security cock-up happened in the first place.

According to SOCRadar, Microsoft responded within hours of being notified of the problem, reconfiguring its Azure Blob Storage cloud bucket to properly secure it from unauthorised access.

It’s obviously a positive thing that the misconfigured server has been secured, but it is unfortunately the case that this particular horse has already bolted – for there are reports that Microsoft’s leaky bucket has been “publicly indexed for months”.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.