486
Microsoft leaks 38TB of private data via unsecured Azure storage (www.bleepingcomputer.com)
submitted 10 months ago by 123@lemm.ee to c/sysadmin@lemmy.world
52 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[-] Knusper@feddit.de 101 points 10 months ago

Gotta love these kind of news. There's always these hypothetical discussions of clouds being insecure and companies generally just ignore that, because clouds are theoretically, sometimes cheaper.

And then every now and then, half the internet leaks out of one of these clouds and everyone's like, holy crap, and then companies go back to generally just ignoring that, because clouds are theoretically, sometimes cheaper.

[-] TheCee@programming.dev 25 points 10 months ago

Unfortunately nobody in charge has seen consequences for their decision to save a few theoretical nickels, so far. But then again, a lot of software/IT related stuff would look completely different, if anybody did.

[-] Knusper@feddit.de 9 points 10 months ago

Yeah, with the GDPR, you could theoretically get sued for using inappropriate technologies, but unless a proper expert committee officially declares Azure et al unsalvagable, you can always say, you thought you were using safe technologies.

[-] sep@lemmy.world 15 points 9 months ago* (last edited 9 months ago)

I do not think anyone belive clouds are cheaper. For a stable workload probably 2x as expecive. Especially when you also count the new finops department you need to know what you are actually paying for in the cloud.

What cloud do give is virtualy infinite capacity, infinite scale out performance, instant availabillity and scaleabillity up to a global presence, no up-front cost, no tear down cost, bragging rights, no long running contracts and api's for EVERYTHING.

Edit: I did see you write theoretically ;)

[-] x3i@lemmy.x3i.tech 7 points 9 months ago

Let me add another important point: outsourcing responsibility. In case of a data breach, you have someone to sue and you don't need a whole internal team to be up to date on the latest security topics. Instead, they just have to be able to manage the web interface (not saying that is easy, just less subject to changes)

[-] Default@aussie.zone 5 points 9 months ago

Ding ding ding. It's all about outsourcing accountability as much as possible. Always need a finger to point at if things go wrong.

[-] XTornado@lemmy.ml 2 points 9 months ago* (last edited 9 months ago)

Given the average company I believe the cloud being more secure, of course they can shoot themselves d in the foot in the cloud as well but that wouldn't be the cloud being insecure. The cheaper part.... not sure if I would agree, it is more simple and easier to manage than your own physical hardware and all that entails, unless you require very little, that's for sure.

[-] Nighed@sffa.community 99 points 10 months ago

The exposed data included backups of personal information belonging to Microsoft employees, including passwords for Microsoft services, secret keys, and an archive of over 30,000 internal Microsoft Teams messages originating from 359 Microsoft employees.

In an advisory on Monday by the Microsoft Security Response Center (MSRC) team, Microsoft said that no customer data was exposed, and no other internal services faced jeopardy due to this incident.

[-] jmcs@discuss.tchncs.de 53 points 10 months ago

Wait, they stored passwords in plain text?

[-] possiblylinux127@lemmy.zip 35 points 10 months ago

Possibly or as a weak hash

[-] elbarto777@lemmy.world 29 points 10 months ago* (last edited 10 months ago)

Always have done so.

🧑‍🚀🔫

[-] clearedtoland@lemmy.world 12 points 10 months ago

This is like the evolution of the “loss” meme. Gave me a chuckle.

[-] raspberriesareyummy@lemmy.world 20 points 10 months ago

Microsoft said that no customer data was exposed

Sure, we'll just take your word for it, buddies. Cheers. /laughs in Linux

[-] Random_user@lemmy.world 14 points 9 months ago

You can use Linux and still have a Microsoft account.

[-] raspberriesareyummy@lemmy.world 0 points 9 months ago

Can, but shouldn't. I have a work related Teams account, and one where I tried to rent a Windows VM for a consulting job. That's it though - no private data to get leaked. The work conversations would suck though, but I'll happily remind my boss et al why using Teams is a shitty idea in the first place.

[-] Sinthesis@lemmy.world 12 points 9 months ago

Microsoft owns GitHub. The blast radius for this could be severe.

[-] raspberriesareyummy@lemmy.world -2 points 9 months ago

Yeah, but the naivety of people believing in secure clouds needs to die. So if this helps, I'm all for it.

[-] NegativeLookBehind@kbin.social 76 points 10 months ago

📎 “It looks like you’re trying to steal terabytes worth of data. Here, let me just give it to you!”

[-] TheChefSLC 5 points 9 months ago

Lol! I used to pin him to my desktop. I loved having him for some reason...

[-] capt_wolf@lemmy.world 43 points 10 months ago

Microsoft said that no customer data was exposed.

Well then, let's break out the popcorn, this should be fun!

[-] Sabata11792@kbin.social 30 points 10 months ago

That's what they all say before the customer data leak disclosure.

[-] snooggums@kbin.social 21 points 10 months ago

I am so glad that Microsoft always tells the truth so we can just take them at their word. It would be totally different if they had a history of lying and doing shady stuff.

[-] Nighed@sffa.community 7 points 10 months ago

As long as the data they lost doesn't get more details, that get more detail that gets customer data... or anorher signing key....

[-] Bishma@discuss.tchncs.de 41 points 10 months ago

Did Microsoft officially stop caring about security or is this more of a fad, like when everything was tiles for a while?

[-] Broken_Monitor@lemmy.world 28 points 10 months ago

We gotta give them a reason to care before they will do anything about it. How many companies have suffered major data breaches over the past 5 years with basically no consequences?

[-] possiblylinux127@lemmy.zip 2 points 9 months ago

Just leave Microsoft

Oh wait, everything depends on windows. Boy we have created a monster

[-] Broken_Monitor@lemmy.world 1 points 9 months ago* (last edited 9 months ago)

I can, but it would take a lot of effort to do so. I will look into it, but a lot of my video games still rely on Windows. However, for MS to change and care it would require a mass exodus on the corporate level, which will never happen.

[-] Zeth0s@lemmy.world 15 points 10 months ago* (last edited 10 months ago)

To be fair Microsoft has never cared much about security. See the windows server (a relatively niche os on servers) second entry in this stat: https://www.statista.com/statistics/701020/major-operating-systems-targeted-by-ransomware/.

It is just that nowadays this kind of issues are more in the news because of "russian cyber criminals", while in the past no one really cared.

Not that I complain... Visibility is actually a good thing

[-] LUHG_HANI@lemmy.world 3 points 10 months ago

It's not relatively niche on SMBs though. It's a major target so it'll always get hit.

[-] Zeth0s@lemmy.world 5 points 10 months ago* (last edited 10 months ago)

It's far less common than linux oses... In any type of servers, including data storages. It is THE major target because it is a bad OS, nowadays primarily used by companies that haven't a good IT for the typical file shares used by tech illiterates easily victims of social engineering attacks. It's a explosive combination that results in that stat... Practically 100 % of successful ransomware attacks on servers is on windows servers, despite overall being much less used than competitors

[-] Nighed@sffa.community 5 points 10 months ago

The more staff a company has, the more chance of mistakes/idiots.

They should have scans to pick a lot of this up though.

load more comments (9 replies)
[-] Random_user@lemmy.world 33 points 9 months ago

That must be why I've been getting a million 2fa emails recently asking me to verify my Microsoft account sign in.

[-] Nath@aussie.zone 9 points 9 months ago

Hmm, by using Authy I wouldn't receive these. They'd just be asked for the current code and unable to proceed.

On the one hand I'm happy not getting spammed like you with 2fa requests. On the other, I think I'd like to know if any of my user/password pairs have been compromised.

[-] russjr08@outpost.zeuslink.net 4 points 9 months ago

I imagine at some point it could be added to the Have I Been Pwned tool, which you can use to check for the presence of your credentials being in a data breach.

[-] XTornado@lemmy.ml 3 points 9 months ago

Tbh I am not sure what he is talking about. I didn't know Microsoft had 2FA by mail. They have their authenticator app, sms, physical key, windows auth (or whatever is called that the PC acts as key/2fa). I know of one case where you can get invited to an org and if you don't have an azure account the login is done by a mail they sent you, but I wouldn't call that 2FA. But I guess here is a mail version I didn't know about.

[-] Nath@aussie.zone 2 points 9 months ago

Oh you're right. I thought it was notification spam to the phone/watch that @Random_user was complaining about.

There is an email MFA method for Hotmail/LiveID accounts, but M365 doesn't have email as an authentication method. There's Authenticator Lite, which comes through as a notificataion through the Outlook App on the phone, though. Not so many organisations use it because it's fairly new and we've mostly been doing MFA for years by now.

[-] beetus@lemmy.world 3 points 9 months ago

Pretty sure the person who said they are getting 2fa emails was meaning that they are getting email alerts from Microsoft that says "we blocked these logins. Were they you?"

Some service providers do this when they see large attempts to access accounts fail due to 2fa blocks.

[-] MrPoopyButthole@lemmy.world 23 points 10 months ago

Azure storage defaults to being private and when you make it public it gives you a warning prompt to accept...

load more comments (1 replies)
[-] Reygle@lemmy.world 2 points 10 months ago

I practically have tourette syndrome at this point I curse the absolute fuckwittery of Microsoft so often.

Gtfo of "the cloud". Don't touch it. Don't joke about touching it.

[-] cypher_greyhat@lemmy.world 1 points 10 months ago

Nice.

[-] disconnectikacio@lemmy.world -2 points 9 months ago* (last edited 9 months ago)

What else can you expect from microcrap...

[-] greywolf0x1@lemmy.ml 1 points 9 months ago

Why bother renaming it, it's always been microshit.

load more comments
view more: next ›
this post was submitted on 18 Sep 2023
486 points (99.2% liked)

Sysadmin

7317 readers
1 users here now

A community dedicated to the profession of IT Systems Administration

No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
!lemmy@lemmy.ml
!lemmyworld@lemmy.world
!lemmy_support@lemmy.ml
!support@lemmy.world

founded 1 year ago
MODERATORS
DarraignTheSane@lemmy.world
00Lemming@lemmy.world
L3s@lemmy.world