A data leak was exposing customers data from a Dynamics Pitch

[German]Security researchers have come across a misconfigured Microsoft Azure blob storage on the Internet that exposes sensitive internal information about a presentation for Microsoft Dynamics. Other companies have probably applied for a project or partnership with Microsoft Dynamics to integrate their products. According to the data, the dataset belongs to Microsoft. 


When I report on data leaks or hacks here, two things always go through my mind. First, there's the thought: Okay, these are somehow companies that haven't yet internalized the issue of security and are fluffing on the subject. There's also a bit of "it's my own fault" that gets thrown at me by the blog readership whenever I report on corporate data leaks or security incidents. The hope is that companies like Apple, Google, Microsoft and other big playsers have everything under control.

On the other hand, I'm familiar with the bon mot "There are only companies that have been hacked and those that haven't noticed yet." And I think to myself when I say "it's their own fault": some of the technology is so complex, it doesn't tolerate mistakes. And mistakes inevitably happen sooner or later, so even larger companies fall victim to hacks and data leaks.

Microsoft Dynamics, a classification

Microsoft Dynamics is a suite of integrated enterprise products and software applications offered by Microsoft to large companies operating primarily in the financial services, retail, public sector and manufacturing industries. Many of the products sold under the Microsoft Dynamics brand were developed by small independent software companies and purchased by Microsoft. The company then integrated each of these separate products into a single product line. That should be kept in mind for subsequent execution.

Data leak of a Dynamics presentation

Security researchers at vpnMentor recently discovered a misconfigured Microsoft Azure blob store containing sensitive internal information from the Dynamics environment. In the data breach, it became public which company offered Microsoft solutions for Microsoft Dynamics in a so-called pitch. The Microsoft Azure blob storage contained company data, product descriptions, product codes, hard-coded passwords and more. After reviewing the data, security researchers assume that this Azure server was probably misconfigured by Microsoft itself.

The Microsoft Azure Blob storage is 63 GB in size and was completely unsecured. Thus, anyone who knew the URL could deploy the content without any special hacking skills. The files appeared to come from a series of pitches made to the Microsoft Dynamics group by numerous companies as part of presentations (pitches). It appears to have been a project or partnership that the companies were applying for. Many of the pitches included the source codes for software products – some of which were eventually brought to market.


The repository included more than 3,800 files with data from January to September 2016. The whole thing was discovered on January 7, 2021, with the company notifying KPMG on January 11 and Microsoft on January 12, 2021. It does not seem that clear with who was the owner of the Azure storage. On February 23, 2021, the Microsoft Azure Blob storage was probably secured again. The exact details of this data leak can be read in this vpnMentor blog post.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *