The company has closed a security weakness which put its internal company files and credentials on the public internet.
Security researchers Can Yoleri, Murat Özfidan and Egemen Koçhisarlı with SOCRadar, a cybersecurity company which helps organisations in finding security weaknesses, found out an open and public storage server hosted on Microsoft's Azure cloud service, hosting internal information from Microsoft's Bing search engine.
The Azure storage server had code, scripts, and configurations that contained passwords, keys, and other credentials used by Microsoft employees to log into other internal databases and systems.
However, the password on the storage server was never applied, making it accessible to all people on the internet.
Speaking to TechCrunch, Yoleri added that the exposed data would be misused by hackers in a bid to discover or get access to other areas where Microsoft stores its internal files. Determining these storage locations "may lead to worse data leaks and even compromise the services being used," Yoleri said.
Researchers discovered Microsoft's security leak on February 6 and managed to close the spilling files on March 5.
A spokesperson for Microsoft did not have any comment by the time of publication. In a statement sent after publication on Wednesday, Microsoft's Jeff Jones told TechCrunch, "Although the credentials should not have been exposed, the credentials were only available from internal networks, and the access was disabled after testing. We appreciate our partners who responsibly reported this issue.".
Jones wouldn't say for how long the cloud server had been exposed to the internet, nor whether anyone other than SOCRadar discovered the exposed data inside.
This is the latest security gaffe for Microsoft as the company attempts to win back customer trust following a series of cloud-related security incidents over the past few years. Last year, researchers discovered a similar issue when they found out that Microsoft employees were exposing their own corporate network logins by publishing code on GitHub.
Last year, Microsoft also was faulted when the company acknowledged it didn't know how China-backed hackers accessed an internal email signing key that opened the door for the hackers to gain access to the content of wide swaths of inboxes hosted by Microsoft on behalf of senior U.S. government officials. In a report published last week, an independent board of cyber experts tasked with investigating the email breach concluded that the hackers succeeded because of a "cascade of security failures at Microsoft."
The company revealed that it is still battling the ongoing cyberattack that made it possible for Russian state-backed hackers to steal portions of the company's source code and internal emails from Microsoft corporate executives.