Microsoft said today that some of its customers' sensitive information was exposed by a misconfigured Microsoft server accessible over the Internet. The misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provision of Microsoft services. March 3, 2022: Laboratory Bako Diagnostics (BakoDX) confirmed that the company experienced a data breach resulting in the personal and healthcare information of certain consumers being compromised. MWC 2023 moves beyond consumer and deep into enterprise tech, Carrier equipment maker Ericsson lets go 8,500 employees, Apple reportedly planning second-generation mixed reality headset for 2025, Report: Justice Department plans lawsuit to block Adobe's $20B Figma acquisition, Galaxy Digital finalizes $44M acquisition of crypto self-custody platform GK8, Meta releases LLaMA to democratize access to large language AI models, INFRA - BY MARIA DEUTSCHER . For example, through the flaw which was related to Internet Explorer 6, specifically attackers gained the ability to download malware onto a Google employees computer, giving them access to proprietary information. Microsoft confirmed the breach on March 22 but stated that no customer data had . Microsoft was alerted by security researchers at SOCRadar about a misconfigured endpoint that had exposed some customer information. Some of the original attacks were traced back to Hafnium, which originates in China. Microsoft (nor does any other cloud vendor) like it when their perfect cloud is exposed for being not so perfect after all. IBM found that the global average cost of a data breach in 2022 was the highest ever since the dawn of conducting these reports. The SOCRadar researchers also note that the leaking data on the Azure Blob Storage instance totaled 2.4 terabytes and included proof-of-execution and statement-of-work documents, including some that may reveal intellectual property. Once its system was impacted, additional hacking activity occurred through its systems, allowing the attackers to reach Microsoft customers as a result. Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Sarah Tew/CNET. For its part, Microsoft claimed that it had quickly secured its servers upon being notified, and that it has alerted affected customers of the potential data breach. However, with the sheer volume of hacks, its likely that multiple groups took advantage of the vulnerability. The threat intel company added that, from its analysis, the leaked data "includes Proof-of-Execution (PoE) and Statement of Work (SoW) documents, user information, product orders/offers, project details, PII (Personally Identifiable Information) data, and documents that may reveal intellectual property. The intrusion was only detected in September 2021 and included the exposure and potential theft of . One main issue was the implementation of a sign sign-in system that allowed users to link their Microsoft and Skype accounts. (Marc Solomon), History has shown that when it comes to ransomware, organizations cannot let their guards down. Microsoft admits a storage misconfiguation, data tracker leads to a data breach at a second US hospital chain, and more. Can somebody tell me how much BlueBleed (socradar.io) is trustworthy? SOCRadar described it as one of the most significant B2B leaks. Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox. "On this query page, companies can see whether their data is published anonymously in any open buckets. Several members of the group were later indicted, and one member, David Pokora, became the first foreign hacker to ever receive a sentence on U.S. soil. In total, SOCRadar claims it was able to link this sensitive information to more than 65,000 entities from 111 countries stored in files dated from 2017 to August 2022. Before founding the Firewall Times, he was Vice President of SEO at Fit Small Business, a website devoted to helping small business owners. According to the security firm the leak, dubbed "BlueBleed I", covers data from 65,000 "entities" in 111 countries, from between 2017 and August 2022. It confirms that it was notified by SOCRadar security researchers of a misconfigured Microsoft endpoint on Sept. 24, 2022. In January 2020, news broke of a misconfigured Microsoft internal customer support database that left records on 250 million customers were exposed. Eduard holds a bachelors degree in industrial informatics and a masters degree in computer techniques applied in electrical engineering. In others, it was data relating to COVID-19 testing, tracing, and vaccinations. The company believes such tools should include a verification system to ensure that a user can only look for data pertaining to them, and not to other users. Along with distributing malware, the attackers could impersonate users and access files. Whether the first six months of 2022 have felt interminable or fleetingor bothmassive hacks, data breaches, digital scams, and ransomware attacks continued apace throughout the first half of . See More . Not really. Was yours one of the billions of records stolen through breaches in recent years? The main concern is that the data could make the customers prime targets for scammers, as it would make it easier for them to impersonate Microsoft support personnel. Like many underground phenomena on the internet, it is poorly understood and shrouded in the sort of technological mysticism that people often ascribe to things like hacking or Bitcoin. However, it isnt clear whether the information was ultimately used for such purposes. The popular password manager LastPass faced a major attack last year that compromised sensitive data of its users, including passwords. Once the hackers could access customer networks, they could use customer systems to launch new attacks. Microsoft hasn't shared any further details about how the account was compromised but provided an overview of the Lapsus$ group's tactics, techniques and procedures, which the company's Threat. We really want to hear from you, and were looking forward to seeing you at the event and in theCUBE Club. We've compiled 98 data breach statistics for 2022 that also cover types of data breaches, industry-specific stats, risks, costs, as well as data breach defense and prevention resources. New York, Organizations can face big financial or legal consequences from violating laws or requirements. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts. In this case, Microsoft was wholly responsible for the data leak. "Our investigation did not find indicators of compromise of the exposed storage location. A representative for LinkedIn reported to Business Insider that this data was scraped from publicly available data on the platform. "This misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provisioning of Microsoft services," the companyrevealed. whatsapp no. Michael X. Heiligenstein is the founder and editor-in-chief of the Firewall Times. We take this issue very seriously and are disappointed that SOCRadar exaggerated the numbers involved in this issue even after we highlighted their error. Additionally, Microsoft hadnt planned to release a patch until the next scheduled major update for Internet Explorer, though it ultimately had to accelerate its plan when attackers took advantage of the vulnerability. "Security researchers at SOCRadar informed Microsoft on September 24, 2022, of a misconfigured Microsoft endpoint," Microsoft wrote in a detailed security response blog post (opens in new tab). SOCRadar VP of Research Ensa Seker told the publication that no data was shared with anyone through the use of BlueBleed, and all the data that it had collected has since been deleted. However, its close to impossible to handle manually. October 2022: 548,000+ Users Exposed in BlueBleed Data Leak Duncan Riley. Poll: Do you think Microsoft's purchase of Activision Blizzard will be approved? "The leaked data does not belong to us, so we keep no data at all," Seker told Bleeping Computer, noting that his company was disappointed with Microsoft's accusations. Though Microsoft would not reveal how many people were impacted, SOCRadar researchers claimed that 65,000 entities across 111 countries may have had their data compromised, which includes. However, SOCRadar also responded by making its BlueBleed search portal available to Microsoft customers who might be concerned they have been affected by the leak. Microsoft, one of the world's largest technology companies, suffered a serious security breach in March 2022. Microsoft confirmed that a misconfigured system may have exposed customer data. "We are highly disappointed about MSRCs comments and accusations after all the cooperation and support provided by us that absolutely prevented the global cyber disaster.". It isnt clear how many accounts were impacted, though Microsoft described it as a limited number. Additionally, the tech giant asserted that email contents and attachments, as well as login credentials, were not compromised in the hack. Bookmark theSecurity blogto keep up with our expert coverage on security matters. Read the executive summary Read the report Insights every organization needs to defend themselves Our technologies connect billions of customers around the world. Ultimately, the responsibility of preventing accidental data exposure falls on the Chief Information Security Officer (CISO) and Chief Data Officer. In April 2021, personal data on over 500 million LinkedIn users was posted for sale on a hacker forum. Please provide a valid email address to continue. While its known that the records were publicly accessible, it isnt clear whether the data was actually accessed by cybercriminals. You can think of it like a B2B version of haveIbeenpwned. Sensitive data can live in unexpected places within your organization. Lapsus took to social media to post a screen capture of the attack, making it clear that its team was deserving of what it considers . This will make it easier to manage sensitive data in ways to protect it from theft or loss. Lapsus$ Group's Extortion Rampage. While the internet has dramatically expanded the ability to share knowledge, it has also made issues of privacy more complicated. Hackers also had access relating to Gmail users. Below, you'll find a full timeline of Microsoft data breaches and security incidents, starting with the most recent. It's being called the biggest breach of all time and the mother of all breaches: COMB, or the Compilation of Many Breaches, contains more than 3.2 billion unique pairs of cleartext emails and passwords. According to one source, the hacker gained access to the Slack account of an HR employee, as well as data such as email addresses, phone numbers, and salaries of Activision employees. The company has also been making a bigger push and investment in cybersecurity with its new Microsoft Security Experts program and integrating security intelligence into its Windows Defender tool. Of the files that were collected, SOCRadar's analysis revealed that these included proof of concept works, internal comments and sales strategies, customer asset documents, product orders, offers, and more. In February 2022, News Corp admitted server breaches way back to February 2020. Thu 20 Oct 2022 // 15:00 UTC. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedias security news reporter. Mar 23, 2022 Ravie Lakshmanan Microsoft on Tuesday confirmed that the LAPSUS$ extortion-focused hacking crew had gained "limited access" to its systems, as authentication services provider Okta revealed that nearly 2.5% of its customers have been potentially impacted in the wake of the breach. For the 2022 report, Allianz gathered insights from 2,650 risk management experts from 89 countries and territories. A hacking group known as the Xbox Underground repeatedly hacked Microsoft systems between 2011 and 2013. Breaches of sensitive data are extremely costly for organizations when you tally data loss, stock price impact, and mandated fines from violations of General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), or other regulations. Some records contained highly sensitive personal information, such as full names, birth dates, Social Security numbers, addresses, and demographic details. To learn more about Microsoft Security solutions,visit ourwebsite. 4Allianz Risk Barometer 2022:Cyber perils outrank Covid-19 and broken supply chains as top global business risk, Allianz Risk Barometer. Thank you for signing up to Windows Central. But there werent any other safeguards in place, such as a warning notification inside the software announcing that a system change would make the data public. While the bulk was for a Russian email service, approximately 33 million about 12 percent of the total stash were for Microsoft Hotmail accounts. Many people are justifiably worried about their personal information being stolen or viewed, including bank records, credit card info, and browser or login history. In July 2021, the Biden administration and some U.S. allies formally stated that they believed China was to blame. SOCRadar said the exposed data belonged to Microsoft and it totaled 2.4 Tb of files collected between 2017 and August 2022. The proposed Securities and Exchange Commission rule creates new reporting obligations for United States publicly traded companies to disclose cybersecurity incidents, risk management, policies, and governance. If hackers gained access to that Skype password, they could effectively bypass the two-factor authentication, giving them access. Data leakage protection is a fast-emerging need in the industry. Microsoft has confirmed it was hacked by the same group that recently targeted Nvidia and Samsung. SOCRadar executives stated that the company does not keep any of the data it comes across and has since deleted any data that its tool may have accessed. Lets look at four of the biggest challenges of sensitive data and strategies for protecting it. In it, they asserted that no customer data had been compromised; per Microsofts description, only a single account was hijacked, and the companys security team was able to stop the attack before Lapsus$ could infiltrate any deeper into their organization. All Rights Reserved. You will receive a verification email shortly. Microsoft itself has not publicly shared any detailed statistics about the data breach. It can be overridden too so it doesnt get in the way of the business. So, tell me Mr. & Mrs. Microsoft, would there be any chance at all that you may in fact communicate with your customer base. Cyber incidents topped the barometer for only the second time in the surveys history. In November 2016, word of pervasive spam messages coming from Microsoft Skype accounts broke. The leaked data does not belong to us, so we keep no data at all. In April 2019, Microsoft announced that hackers had acquired a customer support agents credentials, giving them access to some webmail accounts including @outlook.com, @msn.com, and @hotmail.com accounts between January 1, 2019, and March 28, 2019. 21 HOURS AGO, [the voice of enterprise and emerging tech]. In December 2020, vulnerabilities associated with SolarWinds an infrastructure monitoring and management software solution were exploited by Russian hackers. As Microsoft continued to investigate activities relating to the SolarWinds hackers which Microsoft dubbed Nobelium it determined that additional systems had been compromised by the attackers.