Home / Threat Intelligence bulletins / Microsoft data breach (BlueBleed)


Microsoft has published an advisory detailing an incident of leaked private customer information related to a misconfigured Blob Storage instance. The initial report claimed 65,000+ entities in 111 countries were made public. However, Microsoft says those numbers are exaggerated and the report includes duplicate details. A follow-up blog post explains the difference in terminology around what constitutes an entity and provides further information about the vendor’s follow-up.


Microsoft’s advisory about the incident reports that data included “names, email addresses, email content, company name, and phone numbers, and may have included attached files relating to business between a customer and Microsoft or an authorized Microsoft partner”.

Customers who have been in touch with them say they were unable to share details about the contents of the files.

There is some public evidence that the data has been indexed by search engines.

Affected Customers

Microsoft says that affected customers have been notified via Message Center.

SOCRadar has published a tool for organisations to check whether they are impacted. This tool gives positive results for domains which Microsoft would consider unaffected, in which case the information leaked may be limited to a single email address or URL from a Customer Relationship Management (CRM) record, an email or their database.

Threat Landscape

The leaked customer data could be more or less useful to adversaries depending on information contained which has not been made public. In particular, email addresses and other Personally Identifiable Information (PII) could be used as part of social engineering attacks and the data breach itself can be used as a lure. Campaigns in the past have been seen to use fake security notifications around legitimate security issues to entice victims.

Threat Group

No known threat groups have been shown publicly to have access to the data.

Mitre Methodologies

T1078.004 – Valid Accounts: Cloud Accounts

Further Information

Investigation Regarding Misconfigured Microsoft Storage Location

Sensitive Data of 65,000+ Entities in 111 Countries Leaked due to a Single Misconfigured Data Bucket

Details On The Largest B2B Leak: BlueBleed