Microsoft is facing intense scrutiny over its software security practices after a recent incident that saw sensitive login credentials and other internal data exposed on the open internet.

According to a report from TechCrunch, three security researchers at SOCRadar — a cybersecurity firm that specializes in detecting corporate vulnerabilities — discovered last month that a Microsoft server hosted on the company’s own Azure cloud platform was left unprotected and accessible to anyone online. The server contained a trove of security keys, passwords, and other credentials used by Microsoft employees to access internal systems and data repositories.

Can Yoleri, one of the SOCRadar researchers involved in the discovery, told TechCrunch that malicious hackers could have potentially leveraged the exposed data as an entry point to infiltrate other areas of Microsoft’s infrastructure where sensitive information is stored. “[This] could result in more significant data leaks and possibly compromise the services in use,” Yoleri warned.

The exposed server was linked to Microsoft’s Bing search engine, housing various scripts, code, and configuration files riddled with employee credentials. Upon being alerted to the vulnerability on February 6th, Microsoft reportedly took action to lock down the server by March 5th — nearly a month later. It remains unclear whether any nefarious actors managed to access and abuse the exposed data during that window.

Microsoft spokesperson stated: “We’re investigating the reported exposure of credentials and will take appropriate remediation steps.” The company did not provide any additional details.