The cybersecurity company that uncovered the leak is indicating tens of thousands of companies were affected. But Microsoft says the scale of the problem has been ‘exaggerated.’

Microsoft said Wednesday that an unspecified amount of customer data, including contact info and email content, was recently left exposed to potential access over the internet as a result of a server configuration error.

According to a post today by the Microsoft Security Response Center, the breach related to a misconfigured Microsoft endpoint that was detected by security researchers at SOCRadar Cyber Intelligence Inc. on Sept. 24. 

The misconfiguration resulted in the potential for unauthenticated access to some business transaction data corresponding to interactions between Microsoft and prospective customers, such as the planning or potential implementation and provision of Microsoft services.

Microsoft protected the endpoint hours after being informed about it by the company. The data includes files dated from 2017 to August 2022. 

The exposed information included names, email addresses, email content, company name, phone numbers, and files “relating to business between a customer and Microsoft or an authorized Microsoft partner,” the company said, and affected customers have been notified.

Redmond added that the leak was caused by the “unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem” and not due to a security vulnerability.

Microsoft has clarified that while there was potential for unauthorized access to the bucket, its investigation has revealed no such activity took place at the endpoint.

The cybersecurity firm discovered the exposed data through a company product that can scan the internet for misconfigured cloud servers exposing sensitive data.

Microsoft disputed SOCRadar’s claims about the size of the leak, saying that an “analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users.”

Microsoft expressed disappointment that SOCRadar released a public search tool, as it may expose customers to “unnecessary risk”. SOCRadar should have implemented a system that is using verification to ensure that data is revealed only to users affected by the leak and that information is only displayed to the actual user.

SOCRadar’s data leak search portal is named BlueBleed and it allows companies to find if their sensitive info was also exposed with the leaked data.

“Threat actors who may have accessed the bucket may use this information in different forms for extortion, blackmailing, creating social engineering tactics with the help of exposed information, or simply selling the information to the highest bidder on the dark web and Telegram channels,” SOCRadar warned.