Microsoft has once again not done a good job with its security practices. An internal server containing passwords for databases remained unsecured for months.

An internal server containing Microsoft corporate data was publicly accessible for an unknown period of time. The server contained internal company information related to the Bing search engine, as well as passwords and keys for access to databases and systems. The server wasn’t even password protected.

Security researchers at SOCRadar informed Microsoft about the unsecured server in February. It then took another month until Microsoft closed the doors. The incident could have potentially serious consequences. In principle, anyone could gain access to the server via the Internet, but it is not yet known whether this has actually happened. Further data leaks cannot be ruled out, SOCRadar researcher Can Yoleri tells TechCrunch.

Accumulation of errors

Even if there are no repercussions, this bug won’t hurt Microsoft’s already poor security reputation. Many companies rely on Microsoft’s services and products and should be confident that the company is running its business, but things have gone wrong at Microsoft more than once in the recent past.

In 2022, Microsoft accidentally released internal credentials via public code on GitHub. Last year, Microsoft was the unintended key player in a Chinese espionage hack in which hackers obtained an authentication key for Microsoft mail servers and gained access to government accounts. The American government then pointed an accusing finger at Microsoft in a report.

As the icing on the security cake, Microsoft itself also received unwanted visits from Russian hackers. Due to these accumulations of errors, security experts are increasingly losing trust in Microsoft. The company itself seems to have recognized this and announced a new internal security policy in November, but must also follow its words with action.