Microsoft has addressed a security incident involving its Azure cloud service that exposed internal company files and credentials to the open internet.
The breach has been disclosed by security experts from security company SOCRadar, who spotted an open and public storage server hosted on Microsoft's Azure cloud service. This server was found to contain internal information related to Microsoft's Bing search engine, including code, scripts, and configuration files, TechCrunch reported.
These files contained passwords, keys, and credentials utilized by Microsoft employees to access various internal databases and systems.
The storage server itself lacked basic protection measures such as a password, making it accessible to anyone on the internet.
According to the researchers, the exposed data could help malicious actors identify and access additional storage locations where Microsoft stores its internal files, which could lead to more extensive data leaks.
The researchers notified Microsoft on February 6, and the company implemented measures to secure the exposed files. It remains unclear how long the cloud server was accessible to the internet and whether any unauthorized parties accessed the data during this period.
The Windows maker has recently come under fire after the DHS Cyber Safety Review Board (CSRB) released a report on Microsoft's hack by the Chinese threat actor Storm-0558 in May 2023, in which the hackers breached an unidentified number of email accounts linked to around 25 organizations, including some related individual consumer accounts and government agencies in Western Europe and the US.
CSRB’s report found Microsoft at fault for the intrusion, which officials said was “preventable” and that “Storm-0558 was able to succeed because of a cascade of security failures at Microsoft.” The board has concluded that Microsoft's security culture is insufficient and necessitates a comprehensive overhaul.