Summary 

Security researchers at SOCRadar informed Microsoft on September 24, 2022, of a misconfigured Microsoft endpoint. This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services.    

Upon being notified of the misconfiguration, the endpoint was quickly secured and is now only accessible with required authentication. Our investigation found no indication customer accounts or systems were compromised. We have directly notified the affected customers.

Customer Impact  

The business transaction data included names, email addresses, email content, company name, and phone numbers, and may have included attached files relating to business between a customer and Microsoft or an authorized Microsoft partner. The issue was caused by an unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem and was not the result of a security vulnerability.  We are working to improve our processes to further prevent this type of misconfiguration and performing additional due diligence to investigate and ensure the security of all Microsoft endpoints.  

We appreciate SOCRadar informing us about the misconfigured endpoint, but after reviewing their blog post, we first want to note that SOCRadar has greatly exaggerated the scope of this issue.  Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users. We take this issue very seriously and are disappointed that SOCRadar exaggerated the numbers involved in this issue even after we highlighted their error.

More importantly, we are disappointed that SOCRadar has chosen to release publicly a “search tool” that is not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk.  We recommend that any security company that wants to provide a similar tool follow basic measures to enable data protection and privacy:  

1. to implement a reasonable verification system to ensure that a user is who it purports to be;  
2. to follow data minimization principles by scoping the results delivered solely to information pertaining to that verified user only;  
3. where that company is not in a position to determine with reasonable fidelity which customers had affected data, to not then surface to a given user information (including metadata/filenames) that may belong to another customer. 

We have focused our attention on directly notifying impacted customers and provided them with instructions for contacting Microsoft with questions or concerns. If you did not receive a Message Center communication, our investigation did not identify an impact to you or your organization.  

-MSRC