(Credit: Thomas Trutschel/Photothek/Getty Images)
Just one week after US federal agencies said Microsoft's corporate culture is to blame for its lackluster security practices and past breaches, a new Microsoft security issue has been reported.
Researchers at cybersecurity firm SOCRadar tell TechCrunch that they were able to easily access internal Microsoft data on an Azure cloud server in February because Microsoft didn't password-protect the data. The public storage server held information about Microsoft's Bing search engine as well as files with other passwords and credentials, code, and scripts for various company processes.
It took Microsoft about a month to secure the data after SOCRadar notified them, according to the report, but it's unclear how long the sensitive information was effectively open to the public.
The researchers warn that if malicious actors gained access to the data, significant leaks or compromised Microsoft services could be on the horizon.
"Though the credentials should not have been exposed, they were temporary, accessible only from internal networks, and disabled after testing. We thank our partners for responsibly reporting this issue," a Microsoft representative tells PCMag via email.
Unfortunately, Microsoft has suffered breaches and code leaks before. Last month, the company said Russian hackers infiltrated its corporate email system and used data in those emails to access Microsoft source code repositories. Last year, one Microsoft AI employee accidentally leaked 38TB of data via a bad URL, leaving Microsoft's AI models vulnerable to exploit or attack.
And in 2022, the cybercriminal group known as LAPSUS$ leaked a 37GB trove of swiped Microsoft data on Bing and its Maps feature as well as Microsoft's now-defunct voice assistant Cortana.
Last week, a Microsoft representative told PCMag that it plans to "adopt a new culture" around security after a board created by the US Cybersecurity and Infrastructure Security Agency criticized Microsoft's security practices and called for "fundamental" changes. "Our security engineers continue to harden all our systems against attack and implement even more robust sensors and logs to help us detect and repel the cyber-armies of our adversaries," the rep said.
Editor's Note: This story has been updated to include comment from Microsoft.