Related: Critical Vulnerabilities in Azure PostgreSQL Exposed User Databases, Related: Microsoft Confirms NotLegit Azure Flaw Exposed Source Code Repositories. While the exact number isnt clear, the issue potentially impacted over 30,000 U.S. companies, and as many as 60,000 companies worldwide. 43. LastPass, one of the world's most popular password managers, suffered a major data breach in 2022 that compromised users' personal data and put their online passwords and other . Microsoft asserted that there was no data breach on their side, claiming that hackers were likely using stolen email addresses and password combinations from other sources to access accounts. The misconfiguration in this case happened on the part of the third-party companies, and was not directly caused by Microsoft. Cyber Security Today, Oct. 21, 2022 - Microsoft storage misconfiguation . Lapsus took to social media to post a screen capture of the attack, making it clear that its team was deserving of what it considers . A couple of well-known brands, for instance, were fined hundreds of millions of euros in 2021. Cybersecurity in 2022 - A Fresh Look at Some Very Alarming Stats - Forbes The leaked data does not belong to us, so we keep no data at all. Based in the San Francisco Bay Area, when not working, he likes exploring the diverse and eclectic food scene, taking short jaunts to wine country, soaking in the sun along California's coast, consuming news, and finding new hiking trails. Since sensitive data is everywhere, we recommend looking for a multicloud, multi-platform solution that enables you to leverage automation. I'd assume MS is telling no more than they are legally required to and even at that possibly framing the information as best as possible to downplay it all. The threat of ransomware attacks, data breaches or major IT outages worries companies even more than business and supply chain disruption, natural disasters or the COVID-19 pandemic, all of. A configuration issue allowed customers to download Offline Address Books which contained business contact information for employees of other users inadvertently. Almost 70,000 patients had their personal data compromised in a recent breach of Kaiser Permanente. August 25, 2021 11:53 am EDT. Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users, Microsoft pointed out. Instead of finding these breaches out by landing on a page by accident or not, is quite concerning Amanda Silberling. Attackers gained access to the SolarWinds system, giving them the ability to use software build features. Instead, we recommend an approach that integrates data protection into your existing processes to protect sensitive data. However, the failure of the two-factor authentication system places at least some of the blame on the tech giant. Microsoft followed suit and named a Chinese state-sponsored hacker group, Hafnium, as the culprit behind the attack. According to Microsoft, the exposed information includes names, email addresses, email content, company name, and phone numbers, as well as files linked to business between affected customers and Microsoft or an authorized Microsoft partner. It isnt known whether the information was accessed by cybercriminals before the issues were addressed. whatsapp no. Besideswhat wasfound inside Microsoft's misconfigured server, BlueBleed also allows searching for data collected from five otherpublic storage buckets. The research firm insists that it has not overstepped any privacy protocols in its work and none of the information it uncovered was saved on its end. In March 2013, nearly 3,000 Xbox Live users had their credentials exposed after participating in a poll and entering a prize draw. Then, Flame returned a malicious executable file featuring a rogue certificate, causing the uninfected machine to download malware. It can be overridden too so it doesnt get in the way of the business. While its known that the records were publicly accessible, it isnt clear whether the data was actually accessed by cybercriminals. Microsoft admits a storage misconfiguation, data tracker leads to a data breach at a second US hospital chain, and more. Not really. It's also important to know that many of these crimes can occur years after a breach. Flame wasnt just capable of infecting machines; it could also spread itself through a network using a rogue Microsoft certificate. A global wave of cyberattacks and data breaches began in January 2021 after four zero-day exploits were discovered in on-premises Microsoft Exchange Servers, giving attackers full access to user emails and passwords on affected servers, administrator privileges on the server, and access to connected devices on the same network. "We take this issue very seriously and are disappointed that SOCRadar exaggerated the numbers involved in this issue even after we highlighted their error.". The Cost of a Data Breach in 2022 | CSA Click here to join the free and open Startup Showcase event. Microsoft data breach exposes customers contact info, emails. There was a problem. You happily take our funds for your services you provide ( I would call them products, but products generally dont breakdown and require updates to keep them working), but hey I am no tech guru. This presentation will provide an overview of the security risks associated with SaaS, best practices for mitigating these risks and protecting data, and discuss the importance of regularly reviewing and updating SaaS security practices to ensure ongoing protection of data. VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system. Redmond added that the leak was caused by the "unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem" and not due to a security vulnerability. The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks. 2Cyberattacks Against Health Plans, Business Associates Increase, Jill McKeon, HealthITSecurity xtelligent Healthcare Media. In April 2019, Microsoft announced that hackers had acquired a customer support agents credentials, giving them access to some webmail accounts including @outlook.com, @msn.com, and @hotmail.com accounts between January 1, 2019, and March 28, 2019. The intrusion was only detected in September 2021 and included the exposure and potential theft of . After all, people are busy, can overlook things, or make errors. SOCRadar has also made available a free tool that companies can use to find out if their data was exposed in one of the BlueBleed buckets. We want to hear from you. Among the company's products is an IT performance monitoring system called Orion. LastPass Issues Update on Data Breach, But Users Should Still Change Microsoft uses the following classifications: Identifying data at scale is a major challenge, as is enforcing a process so employees manually mark documents as sensitive. Heres how it works. "We redirect all our customers to MSRC if they want to see the original data. (Joshua Goldfarb), Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies. Nearly all Microsoft 365 customers have suffered email data breaches We really want to hear from you, and were looking forward to seeing you at the event and in theCUBE Club. In July 2021, the Biden administration and some U.S. allies formally stated that they believed China was to blame. Additionally, Microsoft hadnt planned to release a patch until the next scheduled major update for Internet Explorer, though it ultimately had to accelerate its plan when attackers took advantage of the vulnerability. January 17, 2022. In May 2016, security experts discovered a data cache featuring 272.3 million stolen account credentials. The issue arose due to misconfigured Microsoft Power Apps portals settings. Azure and Breach Notification under the GDPR further details how Microsoft investigates, manages, and responds to security incidents within Azure. Creating the rogue certificate involved exploiting the algorithm Microsoft used to set up remote desktops on systems, allowing code to be crafted that appeared to come from Microsoft. As Microsoft continued to investigate activities relating to the SolarWinds hackers which Microsoft dubbed Nobelium it determined that additional systems had been compromised by the attackers. 1Cost of a Data Breach Report 2021, Ponemon Institute, IBM. Microsoft exposed some of its customers' names, email addresses, and email content, among other sensitive data. Copyright 2023 Wired Business Media. Though Microsoft would not reveal how many people were impacted, SOCRadar researchers claimed that 65,000 entities across 111 countries may have had their data compromised, which includes. In June 2012, word of a man-in-the-middle attack that allowed hackers to distribute malware by disguising the malicious code as a genuine Microsoft update emerged. SOCRadar uses its BlueBleed tool to crawl through compromised systems to find out what information can readily be obtainable and accessible by malicious actors. Anna Tutt, CMO of Oort, shares her experiences and perspectives on how we can accelerate growth of women in cybersecurity. They were researching the system and discovered various vulnerabilities relating to Cosmos DB, the Azure database service. Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. For the 2022 report, Allianz gathered insights from 2,650 risk management experts from 89 countries and territories. Microsoft is disappointed that this tool has been publicly released, saying that its not in the best interest of ensuring customer privacy or security and potentially exposing them to unnecessary risk. Hopefully, this will help organizations understand the importance of data security and how to better allocate their security budgets. A threat group calling itself Lapsus$ announced recently that it had gained access to the source code of Microsoft products such as Bing and Cortana. Successfully managing the lifecycle of data requires that you keep data for the right amount of time. Data discovery, data classification, and data protection strategies can help you find and better protect your companys sensitive data. Additionally, the configuration issue involved was corrected within two hours of its discovery. "The leaked data does not belong to us, so we keep no data at all," Seker told Bleeping Computer, noting that his company was disappointed with Microsoft's accusations. If hackers gained access to that Skype password, they could effectively bypass the two-factor authentication, giving them access. Additionally, it wasnt immediately clear who was responsible for the various attacks. Chuong's passion for gadgets began with the humble PDA. Also, organizations can have thousands of sensitive documents, making manual identification and classification of data untenable because the process would be too slow and inaccurate. Some of the data were crawled by our engine, but as we promised to Microsoft, no data has been shared so far, and all this crawled data was deleted from our systems, SOCRadar VP of Research and CISO Ensar eker told BleepingComputer. In some cases, it was employee file information. Learn more below. Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Also, consider standing access (identity governance) versus protecting files. SOCRadar expressed "disappointment" over accusations fired by Microsoft. Lapsus$ Group's Extortion Rampage. Lets look at four of the biggest challenges of sensitive data and strategies for protecting it. The most common Slack issues and how to fix them, ChatGPT: how to use the viral AI chatbot that everyones talking about, 5 Windows 11 settings to change right now, Cybercrime spiked in 2022 and this year could be worse, New Windows 11 update adds ChatGPT-powered Bing AI to the taskbar. So, tell me Mr. & Mrs. Microsoft, would there be any chance at all that you may in fact communicate with your customer base. The first few months of 2022 did not hold back. Top 10 Data Breaches So Far in 2022 - Cybersecurity | Digital Forensics The company also stated that it has directed contacted customers that were affected by the breach. Microsoft said that it does not believe that any data was improperly accessed prior to correcting the security flaw. Join this webinar to gain clear advice on the people, process and technology considerations that must be made at every stage of an OT security programs lifecycle. Organizations can face big financial or legal consequences from violating laws or requirements. New York, "Security researchers at SOCRadar informed Microsoft on September 24, 2022, of a misconfigured Microsoft endpoint," Microsoft wrote in a detailed security response blog post (opens in new tab). UPDATED 13:14 EST / MARCH 22 2022 SECURITY Okta and Microsoft breached by Lapsus$ hacking group by Maria Deutscher SHARE The Lapsus$ hacking group has carried out cyberattacks against Okta Inc.. Microsoft also disputed some key details of SOCRadars findings: After reviewing their blog post, we first want to note that SOCRadar has greatly exaggerated the scope of this issue. (RTTNews) - Personal data of 38 million users were accidentally leaked due to a fault in Microsoft's (MSFT) Power Apps . Due to the security incident, the Costa Rican government established a new Cyber Security Council to better protect citizens' data in the future. Look for data classification technology solutions that allow auto-labeling, auto-classification, and enforcement of classification across an organization. Even though this was caused not by a vulnerability but by a improeprly configured instance it still shows the clouds vulnerability. Microsoft did not say how many potential customers were exposed by the misconfiguration, but in a separate post, SOCRadar, which describes the exposure as BlueBleed, puts the figure at more than 65,000.