Azure ActiveDirectory Credentials Leaked via Publicly Accessible JSON Configuration File
Summary
Hide β²
Show βΌ
A publicly accessible configuration file for ASP.NET Core applications exposed Azure ActiveDirectory (AD) credentials, potentially allowing unauthorized access to Azure cloud environments. The exposed credentials could be used to authenticate via Microsoft's OAuth 2.0 endpoints, enabling attackers to infiltrate and compromise cloud-based resources. The incident highlights a critical misconfiguration in cloud environments, where sensitive credentials are often stored in publicly accessible files. The exposed credentials included ClientId and ClientSecret, which could be used to authenticate against Azure AD and access various cloud services. The affected organization has since closed the loophole, but the discovery underscores the broader risk of cloud misconfigurations and the need for better secrets management practices.
Timeline
-
02.09.2025 14:52 π° 1 articles
Azure AD Credentials Exposed via Publicly Accessible Configuration File
A publicly accessible appsettings.json file for ASP.NET Core applications exposed Azure AD credentials, potentially allowing unauthorized access to Azure cloud environments. The exposed credentials included ClientId and ClientSecret, which could be used to authenticate against Azure AD and access various cloud services. The affected organization has since closed the loophole, but the discovery underscores the broader risk of cloud misconfigurations and the need for better secrets management practices.
Show sources
- JSON Config File Leaks Azure ActiveDirectory Credentials β www.darkreading.com β 02.09.2025 14:52
Information Snippets
-
The exposed credentials included Azure AD ClientId and ClientSecret.
First reported: 02.09.2025 14:52π° 1 source, 1 articleShow sources
- JSON Config File Leaks Azure ActiveDirectory Credentials β www.darkreading.com β 02.09.2025 14:52
-
The credentials were stored in an appsettings.json file, which is commonly used in ASP.NET Core applications.
First reported: 02.09.2025 14:52π° 1 source, 1 articleShow sources
- JSON Config File Leaks Azure ActiveDirectory Credentials β www.darkreading.com β 02.09.2025 14:52
-
The exposed credentials could be used to authenticate against Azure AD via the OAuth 2.0 Client Credentials flow.
First reported: 02.09.2025 14:52π° 1 source, 1 articleShow sources
- JSON Config File Leaks Azure ActiveDirectory Credentials β www.darkreading.com β 02.09.2025 14:52
-
Attackers could use the acquired access token to enumerate users, groups, and directory roles in Azure AD.
First reported: 02.09.2025 14:52π° 1 source, 1 articleShow sources
- JSON Config File Leaks Azure ActiveDirectory Credentials β www.darkreading.com β 02.09.2025 14:52
-
The leak could enable attackers to retrieve sensitive data from SharePoint, OneDrive, or Exchange Online.
First reported: 02.09.2025 14:52π° 1 source, 1 articleShow sources
- JSON Config File Leaks Azure ActiveDirectory Credentials β www.darkreading.com β 02.09.2025 14:52
-
The incident highlights the risk of exposing appsettings.json files, which often contain critical configuration data.
First reported: 02.09.2025 14:52π° 1 source, 1 articleShow sources
- JSON Config File Leaks Azure ActiveDirectory Credentials β www.darkreading.com β 02.09.2025 14:52
-
The exposed credentials could be used to deploy malicious applications under the organizationβs tenant.
First reported: 02.09.2025 14:52π° 1 source, 1 articleShow sources
- JSON Config File Leaks Azure ActiveDirectory Credentials β www.darkreading.com β 02.09.2025 14:52
-
The affected organization has closed the loophole, but the discovery underscores the broader risk of cloud misconfigurations.
First reported: 02.09.2025 14:52π° 1 source, 1 articleShow sources
- JSON Config File Leaks Azure ActiveDirectory Credentials β www.darkreading.com β 02.09.2025 14:52
Similar Happenings
Salesloft OAuth breach exposes Salesforce customer data via Drift AI chat agent
A threat actor, UNC6395, exploited OAuth tokens associated with the Drift AI chat agent to breach Salesloft and access customer data across multiple integrations, including Salesforce, Google Workspace, and others. The breach occurred between August 8 and 18, 2025, affecting over 700 organizations, including Zscaler, Palo Alto Networks, Cloudflare, Google Workspace, PagerDuty, Proofpoint, SpyCloud, and Tanium. The attackers targeted Salesforce instances and accessed email from a small number of Google Workspace accounts, exporting large volumes of data, including credentials and access tokens. Salesloft and Salesforce have taken steps to mitigate the breach and are advising affected customers to revoke API keys and rotate credentials. Salesloft will temporarily take Drift offline to enhance security. UNC6395 demonstrated operational security awareness by deleting query jobs, indicating a sophisticated approach. The breach highlights the risks of third-party integrations and the potential for supply chain attacks. The breach is unrelated to previous vishing attacks attributed to ShinyHunters. UNC6395 systematically exported large volumes of data from numerous corporate Salesforce instances, searching for secrets that could be used to compromise victim environments. The campaign is not limited to Salesforce customers who integrate their own solutions with the Salesforce service; it impacts all integrations using Salesloft Drift. There is no evidence that the breaches directly impacted Google Cloud customers. Organizations are urged to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access. The blast radius of the Salesloft Drift attacks remains uncertain, with the ultimate scope and severity still unclear. Numerous companies have disclosed downstream breaches resulting from this campaign, including Zscaler, Palo Alto Networks, Proofpoint, Cloudflare, and Tenable. Zscaler and Palo Alto Networks warned of potential social engineering attacks resulting from the campaign. Cloudflare confirmed that some customer support interactions may reveal information about a customer's configuration and could contain sensitive information like access tokens. Okta successfully prevented a breach of its Salesforce instance by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric unified across applications. Palo Alto Networks' Unit 42 recommends conducting an immediate log review for signs of compromise and rotating exposed credentials. The breach started with the compromise of Salesloft's GitHub account between March and June 2025. UNC6395 accessed the Salesloft GitHub account and downloaded content from multiple repositories, added a guest user, and established workflows. Reconnaissance activities occurred between March 2025 and June 2025 in the Salesloft and Drift application environments. Salesloft isolated the Drift infrastructure, application, and code, and took the application offline on September 5, 2025. Salesloft rotated credentials in the Salesloft environment and hardened the environment with improved segmentation controls between Salesloft and Drift applications. Salesforce restored the integration with the Salesloft platform on September 7, 2025, but Drift remains disabled. 22 companies have confirmed they were impacted by the supply chain breach. ShinyHunters and Scattered Spider were also involved in the Salesloft Drift attacks.