Microsoft resolved a security lapse that exposed internal company files and credentials to the open internet, security researchers said. Can Yoleri, Murat Özfidan and Egemen Koçhisarlı with SOCRadar found an open and public storage server which is hosted on Microsoft’s Azure cloud service. It was storing internal information relating to Microsoft’s Bing search engine which included code, scripts and configuration files containing passwords used by the Microsoft employees for accessing internal systems.
The storage server was not protected with a password and could be accessed by anyone on the internet, Can Yoleri told TechCrunch adding that the data may help malicious actors identify or access other places where Microsoft stores its internal files which “could result in more significant data leaks and possibly compromise the services in use.”
The researchers informed Microsoft of the security lapse on February 6 and the company secured the files on March 5, they said.
This comes as the company has gone through a series of cloud security incidents in recent years. Last year, researchers found Microsoft employees were exposing their own corporate network logins in code published to GitHub. The company had also, in a different incident, admitted that it did not know how China-backed hackers stole an internal email signing key which allowed them broad access to Microsoft-hosted inboxes of senior US government officials.