It was recently found out that confidential source code data was left exposed and accessible in an unsecured Microsoft Azure cloud storage account.
Indeed, it would appear that the data comes from a series of pitches made to Microsoft Dynamics by various companies, which included software source code for products that have been released. The dataset contains around 63GB of data contained in 4,000 separate files and, includes business pitch decks, product descriptions, and hardcoded passwords.
It was stated that the exposure seems to originate from within Microsoft itself, exposing highly sensitive internal data about well-known companies’ operations and products.
However, Microsoft failed to acknowledge the data breach or claim responsibility. Hence, the investigation team cannot verify whether the file belongs to Microsoft or not.
Moreover, it was also reported that although the data was now secured, it could still represent a threat if a malicious actor came to obtain the source code. Indeed, this would it much easier for them to find vulnerabilities within a product or database and manipulate it in order to gain access to more sensitive data.
By doing so, they could then exfiltrate further data, or even assume remote control of the systems running the code, which could enable them to conduct further attacks.
It was said that the incident could have been avoided by securing the servers, implementing access rules, and not leaving systems that don’t require authentication open to the internet.