One of Microsoft’s servers exposed employee credentials to the open internet, according to a recent TechCrunch report. While the server has since been locked down, this is the latest in a string of security mishaps that have seen the tech giant come under mounting scrutiny.
The unsecured Azure storage server contained code, scripts and configuration files containing passwords and confidential data used by staff to access internal databases and systems.
The lapse was detected by Can Yoleri, Murat Özfidan and Egemen Koçhisarlı of cybersecurity company SOCRadar. It is still unclear how long the server had been exposed to the public, and whether the information detailed in the security breach was discovered by anyone else besides the three researchers.
Leaked credentials put Microsoft systems at risk
The server containing security credentials was attached to Microsoft’s Bing search engine and accessible without password protection. This made the server, used by Microsoft employees to access internal systems, available to anyone on the internet.
Microsoft was alerted to the security oversight on 6 February, but did not secure the exposed files until 5 March. Yoleri told TechCrunch that the exposed data “could result in more significant data leaks and possibly compromise the services in use”.
Microsoft’s series of breaches
The server breach is the latest in a series of security mishaps for Microsoft. Just last month, the US government’s Cyber Safety Review Board released a report of the “preventable” Microsoft security breach that occurred over the summer of 2023. The attack involved a “cascade of Microsoft’s avoidable errors”, enabling Chinese government-backed cyber operators to hack into the email accounts of senior US officials, including Commerce Secretary Gina Raimondo.
In the same month that Microsoft publicly disclosed the China-backed attack, Anonymous Sudan claimed to have hacked Microsoft systems and obtained data pertaining to over 30 million Microsoft accounts. Microsoft claimed to have seen “no evidence that customer data has been accessed or compromised”, though the “hacktivist” group did provide what it claimed was a sample of the data.
Earlier this year, Microsoft reported it was countering a cyberattack by Russian state-sponsored hackers, which resulted in the theft of company source code and internal emails between senior Microsoft staff.
Indeed, this is not even the first time a Microsoft security lapse has been surfaced by SOCRadar. In October 2022 the company reported having identified a data leak of over 2.4 terabytes of exposed data on a misconfigured Microsoft endpoints. Microsoft claimed SOCRadar had “greatly exaggerated the scope of” the attack.
Microsoft’s dominance across the enterprise software stack renders any breaches as incredibly high profile – and potentially hugely damaging. Earlier this week, Microsoft confirmed it had fixed a record number of 147 security vulnerabilities, cited in an update from the company on April 9th which classified the fixes as critical. All but two of the security vulnerabilities were considered “high risk”, and the company claimed none of the vulnerabilities were exploited. Further details on those vulnerabilities have not been disclosed.
At the same time, Microsoft’s own cybersecurity business is becoming an increasingly significant revenue driver. Evercore ISI estimates that the unit will be generating $37.2 billion annually by next year, accounting for 14% of overall revenue – up from 10% in 2022.