Microsoft reportedly locked down a server last month that exposed passwords, keys, and credentials of Microsoft employees to the open internet, as the company faces mounting pressure to bolster its software security.

According to Techcrunch, three security researchers at SOCRadar — a company specializing in detecting corporate cybersecurity weaknesses — discovered that an Azure-hosted server storing sensitive data linked to Microsoft’s Bing search engine was left open with no password protection, meaning it could be accessed by anyone online. The server contained a variety of security credentials used by Microsoft employees to access internal systems, housed within various scripts, code, and configuration files.

One of the researchers, Can Yoleri, told Techcrunch that hackers could potentially use this exposed data to find and access other areas where Microsoft stores internal data, which “could result in more significant data leaks and possibly compromise the services in use.”

Microsoft was notified about the vulnerability on February 6th, and locked it down by March 5th. It’s unclear if anyone else accessed the exposed server during this time. We have reached out to Microsoft for comment and will update this story if we hear back.

Microsoft has faced several cybersecurity mishaps in recent years, and is currently in the process of overhauling its security practices. Earlier this month, a review from the US Cyber Safety Review Board said Microsoft could have prevented a breach in its Exchange Online software that allowed Chinese hackers to access US government email systems in 2023, accusing the tech giant of developing a “corporate culture that deprioritized enterprise security investments and rigorous risk management.” Another incident in 2022 saw sensitive login credentials for Microsoft’s systems being uploaded by its own employees on GitHub.

The Verge