Just one week after US federal agencies said Microsoft's corporate culture was to blame for its poor security practices and past breaches, a new security issue has been reported at Microsoft.
Researchers at cybersecurity firm SOCRadar tell TechCrunch they were able to easily access internal Microsoft data on an Azure cloud server in February because Microsoft did not password-protect the data. The public storage server held information about Microsoft’s Bing search engine, as well as files containing other passwords, credentials, code, and scripts for various corporate operations.
It took Microsoft about a month to secure the data after SOCRadar notified it, according to the report, but it's unclear how long the sensitive information was effectively open to the public.
The researchers warned that if malicious parties were able to access the data, there could be major leaks or compromised services for Microsoft.
“Although the credentials were not intended to be exposed, they were temporary, accessible only from internal networks, and were disabled after testing. We thank our partners for reporting this issue responsibly,” a Microsoft representative told PCMag via email.
Unfortunately, Microsoft has suffered from breaches and code leaks before. Last month, the company said that Russian hackers infiltrated its email system and used data from those emails to access Microsoft’s source code repositories. And last year, a Microsoft AI employee accidentally leaked 38 terabytes of data via a botched URL, leaving Microsoft’s AI models vulnerable to exploitation or attack.
In 2022, a cybercrime group known as LAPSUS$ leaked a massive 37GB of stolen data from Microsoft on its Bing search engine, its mapping feature, and the now-defunct Cortana voice assistant.
Recommended by our editors
Last week, a Microsoft representative told PCMag that the company was planning to “adopt a new culture” around security after a council created by the U.S. Cybersecurity and Infrastructure Security Agency criticized Microsoft’s security practices and called for “fundamental” changes. “Our security engineers continue to harden all of our systems against attacks and implement more robust sensors and logs to help us detect and repel our adversaries’ cyber armies,” the representative said.
Editor's note: This story has been updated to include comment from Microsoft.
Do you like what you read?
Sign up for the SecurityWatch newsletter to receive the top privacy and security stories delivered directly to your inbox.
This newsletter may contain advertisements, offers or affiliate links. Subscribing to the newsletter indicates your agreement to our Terms of Use and Privacy Policy. You can unsubscribe from the newsletter at any time.