- SOCRadar has detected that sensitive data of 65,000 entities became public because of a misconfigured server.
- Six large public buckets contained information for more than 150,000 companies in 123 different countries.
- The information can be used in different forms, such as extortion, blackmailing, creating social engineering tactics, or simply selling the information.
SOCRadar announced that they have detected that sensitive data of 65,000 entities became public because of a misconfigured server, including Proof-of-Execution (PoE) and Statement of Work (SoW) documents, user information, product orders/offers, project details, PII (Personally Identifiable Information) data, and documents that may reveal intellectual property.
BlueBleed
SOCRadar’s built-in Cloud Security Module monitors public buckets and six large ones contained information for over 150,000 organizations from 123 different countries. The leaks are collectively dubbed BlueBleed by SOCRadar, to make it easier to track the intelligence around it.
The term “BlueBleed” was proposed by Can Yoleri, a Threat and Vulnerability Researcher at SOCRadar. It refers to the information leaked by six misconfigured buckets. SOCRadar announced that the first part of the collection is due to a misconfigured Azure Blob Storage. The exposed files in the misconfigured bucket include;
- POE documents,
- SOW documents,
- Invoices,
- Product orders,
- Product offers,
- Project details,
- Signed customer documents,
- POC (Proof of Concept) works,
- Customer emails (as well as .EML files),
- Customer product price list and customer stocks,
- Internal comments for customers (High risk etc.),
- Sales strategies,
- Customer asset documents, and
- Partner ecosystem details.
SOCRadar said,
« SOCRadar, an Extended Threat Intelligence platform, continuously monitors the surface web, deep web, and darknet for vulnerabilities and data leaks. BlueBleed Part I is discovered as the result of such monitoring. On September 24, 2022, SOCRadar’s built-in Cloud Security Module detected a misconfigured Azure Blob Storage maintained by Microsoft containing sensitive data from a high-profile cloud provider.
After the initial detection, SOCRadar researchers investigated a storage area in the bucket where SQLServer backups are stored. Further investigations on the backups led SOCRadar researchers to discover links between the misconfigured bucket and other Azure Blob Storages. A thorough investigation revealed that the sensitive data of tens of thousands of companies was exposed to the public due to this misconfiguration. The amount and scale of the leaked data make it the most significant B2B data leak in the recent history of cybersecurity. »
Microsoft also published a post about the incident and stated that the endpoint was quickly secured and is now only accessible with the required authentication. Microsoft announced that during the investigation, the company found no indication customer accounts or systems were compromised and affected customers are notified. According to the post, the business transaction data included names, email addresses, email content, company name, and phone numbers, and may have included attached files relating to business between a customer and Microsoft or an authorized Microsoft partner. Microsoft said,
« We appreciate SOCRadar informing us about the misconfigured endpoint, but after reviewing their blog post, we first want to note that SOCRadar has greatly exaggerated the scope of this issue. Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users. We take this issue very seriously and are disappointed that SOCRadar exaggerated the numbers involved in this issue even after we highlighted their error.
More importantly, we are disappointed that SOCRadar has chosen to release publicly a “search tool” that is not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk. »
Microsoft also recommends that any security company that wants to provide a similar tool follow basic measures to enable data protection and privacy:
- To implement a reasonable verification system to ensure that a user is who it purports to be;
- To follow data minimization principles by scoping the results delivered solely to information pertaining to that verified user only;
- Where that company is not in a position to determine with reasonable fidelity which customers had affected data, to not then surface to given user information (including metadata/filenames) that may belong to another customer.