Unprotected and exposed: how Microsoft left employee data accessible for a month

The servers with employee login credentials were exposed to the internet

In a significant security oversight, Microsoft inadvertently exposed sensitive internal data, including employee passwords, on an unsecured Azure cloud server.^[1] This breach, which persisted for nearly a month, involved a server that stored essential components related to Microsoft's Bing search engine.

Accessible without any password protection, the server housed critical assets such as code, scripts, and configuration files. These files contained not just passwords but also keys and credentials crucial for Microsoft employees to access other internal systems. The nature of the exposed data was not just a breach of privacy but also a potential gateway for further unauthorized access to Microsoft’s expansive internal network.

The sensitive data was exposed for over a month

The vulnerability was initially discovered by security researchers Can Yoleri, Murat Özfidan, and Egemen Koçhisarlı of SOCRadar, who specialize in identifying cybersecurity flaws. After identifying the exposed server, the researchers quickly notified Microsoft of their findings on February 6.

The response from Microsoft, however, took almost a month as the data was not secured until March 5. This delay in response highlights potential gaps in Microsoft's incident response protocols. During the time the server remained open, there was a real risk that unauthorized individuals could have accessed the information, although there is no public evidence to confirm whether such access occurred.

According to the response TechCrunch received from Microsoft, the credentials were only accessible from internal networks:^[1]

Though the credentials should not have been exposed, they were temporary, accessible only from internal networks, and disabled after testing. We thank our partners for responsibly reporting this issue

The exposure of Microsoft’s internal credentials and other sensitive data could have severe implications. As pointed out by researcher Can Yoleri, the exposed data not only risked the security of Microsoft’s direct systems but also could enable attackers to map out and access other parts of Microsoft's digital infrastructure.

Such breaches are not merely about the immediate loss of data but also about the potential for cascading failures across various services and applications that rely on Microsoft's systems. The breach could have led to more extensive data leaks, compromised service integrity, and a significant erosion of trust among Microsoft’s clients and partners.

Microsoft's track record was not perfect in the past either

This incident is the latest in a series of security incidents at Microsoft that highlight ongoing challenges in the company's cybersecurity efforts. For instance, in 2023, the US Cyber Safety Review Board criticized Microsoft for its mishandling of a breach involving its Exchange Online software, which was exploited by Chinese hackers to access US government officials' emails.^[2] This breach was deemed preventable and was attributed to Microsoft’s lax security practices and a corporate culture that undervalued rigorous risk management.

Another notable misstep occurred in 2022 when Microsoft employees inadvertently uploaded sensitive system login credentials to GitHub, a platform accessible by the public.^[3] These incidents underscore the need for Microsoft to reassess and strengthen its cybersecurity protocols, ensuring more robust defenses and quicker responses to potential threats.

The continued occurrence of these breaches indicates that Microsoft must prioritize comprehensive security reforms and continuous improvement of its cybersecurity measures. Ensuring data integrity and securing internal and customer data against potential leaks are crucial for maintaining trust and safeguarding the company’s reputation in the highly competitive tech industry.