Login credentials of Microsoft employees and other company data were left exposed on an unprotected Azure storage server, according to security researchers.

The server contained passwords and keys that Microsoft employees use to access internal systems along with code, scripts, and configuration files, SOCRadar researchers told TechCrunch.

The cybersecurity firm notified Microsoft of the exposure on February 6, and the tech giant secured the server almost one month later on March 5. It’s unclear if anyone other than the security researchers accessed this information while it was exposed.

Leak Might Lead to Data Breaches

The researchers said the Microsoft Azure server, which was left without password protection, is linked to Microsoft’s Bing search engine. “From references to names similar to ‘clientcenter’ and from database names, it’s clear that those using the Bing ADS system could be affected,” Can Yoleri, a senior security researcher at SOCRadar, told VPNOverview in an email.

Yoleri told TechCrunch that the exposed credentials “could result in more significant data leaks and possibly compromise the services in use,” highlighting the gravity of the situation.

Meanwhile, a spokesperson for Microsoft told the news outlet on Thursday that “the credentials should not have been exposed, they were temporary, accessible only from internal networks, and disabled after testing.” Though this does not say much, it confirms the critical misstep by the tech giant.

This is far from Microsoft’s first security blunder. In 2022, SOCRadar came across a misconfigured Azure “Blob” instance — another Microsoft cloud service — where sensitive information of potential clients was left exposed. Also, in 2022, a notorious ransomware gang claimed it breached Microsoft‘s Azure DevOps server, which contained the source code for confidential projects like Cortana and Bing and emails between Microsoft’s engineers.

How to Prevent Data Leaks

It’s important for organizations to secure their servers and protect sensitive information from leaks. Unfortunately, many organizations fail to do this.

In 2022, VPNOverview researchers found the personally identifiable information (PII) of nearly half a million Sephora shoppers on an unsecured AWS (Amazon Web Services) S3 storage bucket.

“With each passing day, the number of buckets made public on the internet either by mistake or under the assumption that they won’t be found anyway increases, but it can be detected. These exposed buckets often contain information and files critical to companies,” Yoleri said.

Here are a few ways to safeguard against such leaks:

• Ensure all servers and databases are protected with strong, unique passwords. Ensure that these servers are not accessible to the public.
• Implement real-time monitoring and regular audits of systems to detect unauthorized access or vulnerabilities promptly.
• Practice the principle of least privilege by limiting access to sensitive information only to those who require it for their job functions.
• Encrypt data at rest and in transit to protect against unauthorized access, even if a breach occurs.