The research team at vpnMentor believes that they discovered a leak of data that may belong to Microsoft and other tech companies.
vpnMentor’s research team led by Noam Rotem found a breach that exposed sensitive internal data that was stored on a misconfigured Microsoft Azure cloud storage account. Researchers determined that some of the files appeared to originate from a series of pitches made to Microsoft Dynamics from numerous companies for different projects or partnerships with the tech giant.
In many cases, pitches included source code for software products, some of which are now released to the market. This led to the exposure of highly sensitive internal data of some well-known companies. The breach also exposed certain information about their operations and product lines. Source codes of between 10-15 products had been exposed, which included data like passwords for live databases hardcoded into the source code.
The total size of the leaked data is 63GB across over 3,800 files. Researchers say the breach happened on 7th January 2021 and was secured by Microsoft by 23rd February 2021.
Azure Blob Storage, the platform on which these files were stored, has been developed by the tech giant for large, multinational enterprise clients.
Exposed source code can give hackers a way to find critical vulnerabilities in the product or database for example by identifying less secure areas which data security protocols typically protect.
Hackers could extract sensitive data, find ways to embed malware into the product, or potentially use the leaked source code for one product to access and infect an entire company’s network.
VpnMentor researchers described their findings in a blog post and provided advice to securing their Open Blob Storage instances.
In addition, Microsoft provides the following instructions to Azure users to help them secure blobs:
- Making the bucket private, adding authentication protocols.
- Following Azure access and authentication best practices.
- And adding more layers of protection to their Azure account to additionally restrict who can access it from entry points.
