The files were public. For seven months. Nobody checked.

The scenario:

A developer needed to share a file with a contractor. They set the Azure blob container to public access. Uploaded the file. The contractor got it. 

The developer moved on to the next task. The container stayed public. For seven months, every file uploaded to that container was accessible to anyone with the URL. Client data. Backup files. Database exports. All indexed by search engines. 

The attack:

STAGE 1: MISCONFIGURATION

Developer sets Azure Blob Storage container to "public access" for a one-time file share.

No process exists for reviewing container permissions after creation.

Container remains public. Additional files are uploaded over the following months.

STAGE 2: DISCOVERY

Automated scanner (used by security researchers and attackers alike) discovers the public container.

URL pattern is predictable: clientname.blob.core.windows.net/backups/

Scanner indexes 4,200 files including SQL database backups, CSV exports, and PDF contracts.

STAGE 3: DATA EXPOSURE

Database backups contain customer PII: names, emails, addresses, payment history.

CSV exports contain financial reconciliation data.

PDF contracts contain signed agreements with pricing and terms.

Total exposure: 47,000 customer records across 4,200 files.

STAGE 4: CONSEQUENCE

A security researcher reports the exposure to the company.

Regulatory notification required under GDPR (personal data of EU residents exposed).

ICO investigation opened. Substantial regulatory fine expected.

3 clients terminate contracts citing data protection concerns.

What stopped it:

A security researcher scanning for exposed Azure containers discovered the data and reported it through responsible disclosure. Without the report, the exposure would have continued indefinitely.