View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
April 11, 2024updated 12 Apr 2024 9:52am

Microsoft exposed employee passwords in recent data breach

An unsecured server is the latest in a series of hits to the tech giant’s reputation in regards to security management.

By Lauren Hurrell

One of Microsoft’s servers exposed employee credentials to the open internet, according to a recent TechCrunch report. While the server has since been locked down, this is the latest in a string of security mishaps that have seen the tech giant come under mounting scrutiny.

The unsecured Azure storage server contained code, scripts and configuration files containing passwords and confidential data used by staff to access internal databases and systems.

The lapse was detected by Can Yoleri, Murat Özfidan and Egemen Koçhisarlı of cybersecurity company SOCRadar. It is still unclear how long the server had been exposed to the public, and whether the information detailed in the security breach was discovered by anyone else besides the three researchers.

Microsoft’s dominance across the enterprise software stack makes any breaches incredibly high profile. (Photo by IB Photography via Shutterstock).

Leaked credentials put Microsoft systems at risk

The server containing security credentials was attached to Microsoft’s Bing search engine and accessible without password protection. This made the server, used by Microsoft employees to access internal systems, available to anyone on the internet.

Microsoft was alerted to the security oversight on 6 February, but did not secure the exposed files until 5 March. Yoleri told TechCrunch that the exposed data “could result in more significant data leaks and possibly compromise the services in use”.

Microsoft’s series of breaches

The server breach is the latest in a series of security mishaps for Microsoft. Just last month, the US government’s Cyber Safety Review Board released a report of the “preventable” Microsoft security breach that occurred over the summer of 2023. The attack involved a “cascade of Microsoft’s avoidable errors”, enabling Chinese government-backed cyber operators to hack into the email accounts of senior US officials, including Commerce Secretary Gina Raimondo.

In the same month that Microsoft publicly disclosed the China-backed attack, Anonymous Sudan claimed to have hacked Microsoft systems and obtained data pertaining to over 30 million Microsoft accounts. Microsoft claimed to have seen “no evidence that customer data has been accessed or compromised”, though the “hacktivist” group did provide what it claimed was a sample of the data.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

Earlier this year, Microsoft reported it was countering a cyberattack by Russian state-sponsored hackers, which resulted in the theft of company source code and internal emails between senior Microsoft staff.

Indeed, this is not even the first time a Microsoft security lapse has been surfaced by SOCRadar. In October 2022 the company reported having identified a data leak of over 2.4 terabytes of exposed data on a misconfigured Microsoft endpoints. Microsoft claimed SOCRadar had “greatly exaggerated the scope of” the attack.

Microsoft’s dominance across the enterprise software stack renders any breaches as incredibly high profile – and potentially hugely damaging. Earlier this week, Microsoft confirmed it had fixed a record number of 147 security vulnerabilities, cited in an update from the company on April 9th which classified the fixes as critical. All but two of the security vulnerabilities were considered “high risk”, and the company claimed none of the vulnerabilities were exploited. Further details on those vulnerabilities have not been disclosed.

At the same time, Microsoft’s own cybersecurity business is becoming an increasingly significant revenue driver. Evercore ISI estimates that the unit will be generating $37.2 billion annually by next year, accounting for 14% of overall revenue – up from 10% in 2022.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.