Microsoft Exchange service exposes nearly 100,000 names and logins

Microsoft logo
Microsoft logo (Image credit: Daniel Rubino / Windows Central)

What you need to know

  • The Autodiscover feature of Microsoft Exchange is reported as having been improperly implemented.
  • Said implementation issues have resulted in the leaks of nearly 100,000 Windows credentials, including logins and names.
  • Microsoft has acknowledged it is investigating the matter and is unhappy the issue wasn't shared with it before reaching the media.

The Autodiscover feature in Microsoft Exchange is resulting in a bit more information being exchanged than users likely hoped for. In short, Guardicore reports that the Autodiscover protocol's improper implementation has led to "96,671 unique credentials" being leaked (via BleepingComputer).

Here's an aggressively simplified overview of how the leaks happened: Imagine an Exchange user signs into a mail client (Outlook, for example). Said client will try to ensure Exchange Autodiscover URLs are legitimate. That user's login details are then sent to the URLs in question.

However, because of the procedures of some mail clients, the Autodiscover protocol (opens in new tab) results in untrusted domains receiving authentication attempts. And that means that the untrusted domain's owners can collect the data they wrongly received and do whatever they want with it.

That's how the leak occurs, and how 96,671 credentials have gone places they shouldn't have. You can read Guardicore's full report for the nitty-gritty details, but that's a general summary of the situation.

When BleepingComputer reached out to Microsoft about the issue, this was Senior Director of Communications Jeff Jones' response:

We are actively investigating and will take appropriate steps to protect customers. We are committed to coordinated vulnerability disclosure, an industry standard, collaborative approach that reduces unnecessary risk for customers before issues are made public. Unfortunately, this issue was not reported to us before the researcher marketing team presented it to the media, so we learned of the claims today.

Microsoft has repeatedly reminded everyone to play it smart with Exchange, though in this particular instance, it's not clear how exactly users can do anything on their end for added protection. We'll update the story if the company updates its guidance regarding the current situation.

Robert Carnevale is the News Editor for Windows Central. He's a big fan of Kinect (it lives on in his heart), Sonic the Hedgehog, and the legendary intersection of those two titans, Sonic Free Riders. He is the author of Cold War 2395. Have a useful tip? Send it to robert.carnevale@futurenet.com.