By Soumyadeep Sarkar and Azure Security News
According to a report by leading VPN review website vpnMentor, a misconfigured Microsoft Azure blob storage containing sensitive information has allegedly been left exposed and vulnerable to hackers. While data leaks like these aren’t anything new, what makes this interesting is that this time, Microsoft itself might be the one to blame.
According to vpnMentor, the information at risk contains internal data such as business pitches, product descriptions, product codes and hardcoded passwords, and more. What gives it the twist for the bizarre is that vpnMentor’s findings suggest that the Azure server was presumably misconfigured by Microsoft themselves. And since the files were not adequately secured, they can be accessed by anyone with the most rudimentary of hacking skills.
Further study has revealed that the data in question originates from a series of pitches made to Microsoft Dynamics by companies. Many of the pitches include software source code for products, some of which have subsequently been released. Nearly 63GB of data is contained in almost 4,000 separate files, and it includes business pitch decks, product descriptions, and hardcoded passwords. With the Azure server being misconfigured, this data has now been left vulnerable.
Each of these firms – including some well-known companies – was exposed, with highly sensitive internal data about their operations and product lines publicly accessible,” wrote vpnMentor in a blog post.
Microsoft Dynamics refers to a suite of integrated enterprise products and software applications offered by Microsoft to companies that primarily work in financial services, retail, the public sector, and manufacturing. It focuses on software products related to enterprise resource planning (ERP), customer relationship management (CRM), and software as a service (SAAS).
While this issue was first discovered by vpnMentor’s team of researchers back in January 2021, it was not until recently that they found out that Microsoft was responsible for the misconfiguration.
“We also suspected Microsoft was responsible. So, we then reached out to the company several times to ensure the files were made secure and to confirm the data belonged to them. While we received only automated responses from the company, the Azure Blob account was secured in the meantime,” vpnMentor said.
When Microsoft was finally made aware of the issue, it failed to acknowledge the data breach or claim any responsibility. “As a result, we have no way to verify whether the file belongs to Microsoft,” vpnMentor said.
By exposing the source codes of the products, the product is now exposed since hackers can now find vulnerabilities manipulate them to gain access to more sensitive data held by their target users – bypassing normal data security protocols. Not only will they be able to sell sensitive information like usernames and passwords on the dark web, but they can exfiltrate more data in time and aid in corporate espionage and theft of intellectual property.