EY’s Security Failure: 4TB of Private Client Data Exposed Publicly on Microsoft Azure

By CyberDudeBivash · 30 Oct 2025 · cyberbivash.blogspot.com · cyberdudebivash.com

This post explains what happened, why Azure Blob misconfigurations keep recurring, and the exact checks you must run today (SAS tokens, public access, CSPM rules, logging) to avoid becoming the next headline. We include a 30-minute triage and a 24-hour remediation plan your team can execute immediately. 

What Happened (in plain English)

A publicly reachable Azure blob exposed a 4TB+ SQL Server backup linked to EY. According to initial reports, the file was accessible without authentication and was identified during routine attack-surface mapping by researchers. Impact details are still emerging; however, the scale suggests exposure of internal and client records. 

Why Azure Blobs Keep Leaking

• Misconfigured public access: Containers accidentally set to public or inherited permissive policies. 
• Over-permissive SAS tokens: Long-lived tokens with wide scopes get reused or leaked. 
• Weak identity guardrails: Missing conditional access / private endpoints / storage firewall. 
• Commodity scanning: Automated internet scanners hunt for open Azure containers at scale. 
• Attack uptick: Microsoft & others recently warned about active targeting of Azure Blob misconfigs. 

30-Minute Triage: Am I Exposed?

1. Run an org-wide check: ensure Blob public access = Disabled at account & container levels. 
2. List containers with PublicAccess != Private; immediately set to Private.
3. Locate SQL/DB backups in storage; confirm they’re not in public containers.
4. Inventory active SAS; revoke unknown/long-lived tokens; re-issue with IP/time scoping. 
5. Check Insights/Diagnostics logs for anonymous access & spikes in list/get operations. 

24-Hour Fix Plan (Production-Safe)

1. Enforce Private Endpoints + Firewall: Allow only corporate VNets/IPs; deny public network access entirely. 
2. Rotate Secrets: Regenerate storage keys; rotate app creds that touched affected blobs.
3. Lock SAS Hygiene: Default expiry hours not weeks; use sp=rl minimal permissions; sign with user delegation.
4. Encrypt backups properly: Use TDE & backup encryption; store keys in HSM/Key Vault.
5. CSPM Policies: Turn on preventive policies to block public containers in CI/CD. :

Detection & Hunt Queries

• Anonymous access spikes (StorageRead/BlobGet/ListContainer) by unfamiliar IPs/ASNs.
• New SAS issuance with long expiries or broad scopes; tokens used from foreign geos.
• Large downloads of DB backups from rare IPs; throttle or block egress by policy.
• Look-alike storage accounts used to host phishing/brand-spoof content. 

Recommended by CyberDudeBivash (Partner Links)

Patch fast, detect faster, and train your cloud teams:

CyberDudeBivash Services & Apps

Sources

• The Register coverage of EY 4TB public SQL backup exposure on Azure. 
• CyberSecurityNews initial report on EY data leak. 
• Neo Security technical write-up on discovery & responsible disclosure. 
• GBHackers recap of the exposure. 
• Microsoft & industry guidance on Blob attack activity & misconfigs. 

FAQ

Q: Is this an Azure bug?
A: No—these exposures are typically owner misconfigurations (public access/SAS). Azure provides controls to prevent this when configured correctly. 

Q: What’s the fastest single control to cut risk today?
A: Disable public access at the storage account level and enforce private endpoints plus firewall rules.

Q: Are attackers actively going after Blob misconfigs?
A: Yes—recent advisories and media show increasing targeting and automated discovery. 

Next Reads

• Daily CVEs & Threat Intel — CyberBivash
• CyberDudeBivash Apps & Services Hub

Affiliate Disclosure: We may earn commissions from partner links at no extra cost to you. Opinions are independent.