Microsoft Exchange service exposes nearly 100,000 names and logins

What you need to know

• The Autodiscover feature of Microsoft Exchange is reported as having been improperly implemented.
• Said implementation issues have resulted in the leaks of nearly 100,000 Windows credentials, including logins and names.
• Microsoft has acknowledged it is investigating the matter and is unhappy the issue wasn't shared with it before reaching the media.

The Autodiscover feature in Microsoft Exchange is resulting in a bit more information being exchanged than users likely hoped for. In short, Guardicore reports that the Autodiscover protocol's improper implementation has led to "96,671 unique credentials" being leaked (via BleepingComputer).

Here's an aggressively simplified overview of how the leaks happened: Imagine an Exchange user signs into a mail client (Outlook, for example). Said client will try to ensure Exchange Autodiscover URLs are legitimate. That user's login details are then sent to the URLs in question.

However, because of the procedures of some mail clients, the Autodiscover protocol results in untrusted domains receiving authentication attempts. And that means that the untrusted domain's owners can collect the data they wrongly received and do whatever they want with it.

That's how the leak occurs, and how 96,671 credentials have gone places they shouldn't have. You can read Guardicore's full report for the nitty-gritty details, but that's a general summary of the situation.

When BleepingComputer reached out to Microsoft about the issue, this was Senior Director of Communications Jeff Jones' response:

Microsoft has repeatedly reminded everyone to play it smart with Exchange, though in this particular instance, it's not clear how exactly users can do anything on their end for added protection. We'll update the story if the company updates its guidance regarding the current situation.