Sign in

Microsoft employees accidentally expose 38TB of internal data; company respond

Microsoft AI research team accidentally exposed 38 terabytes of private data on GitHub, but no customer data was at risk.

Published on: Sep 19, 2023, 22:58:50 IST
Share
Share via
  • facebook
  • twitter
  • linkedin
  • whatsapp
Copy link
  • copy link

Microsoft's AI research team accidentally exposed 38 terabytes of private data, including sensitive information like secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages while sharing open-source training data on GitHub, according to cloud security company Wiz.

Microsoft said no customer data was exposed.
Microsoft said no customer data was exposed.

The exposure occurred because the researchers used an Azure feature called Shared Access Signature (SAS) tokens to share their files, but the access level was configured incorrectly. Instead of limiting access to specific files, the link shared the entire storage account, including the additional 38TB of private data, the report said.

Additionally, the token was misconfigured to allow "full control" permissions, thus “not only could an attacker view all the files in the storage account, but they could delete and overwrite existing files as well.”

Microsoft's reply

Wiz reported its findings to Microsoft on June 22, leading Microsoft to revoke the SAS token on June 24.

Microsoft completed its investigation and said that no customer data or other Microsoft services were at risk due to this issue. Furthermore, it said that customers need not take any additional action for security.

“No customer data was exposed, and no other internal services were put at risk because of this issue. No customer action is required in response to this issue,” it said in a statement.

The tech giant explained that the problem stemmed from a Microsoft researcher inadvertently including the SAS token in a public GitHub repository while contributing to open-source AI learning models. Microsoft clarified that there was no security issue or vulnerability within Azure Storage or the SAS token feature.

To prevent such incidents, Microsoft said, it encourages users to create and handle SAS tokens appropriately and follow best practices. It said it is also actively improving its detection and scanning tools to identify cases of over-provisioned SAS URLs and enhance their secure-by-default posture.

  • HT News Desk
    ABOUT THE AUTHOR
    HT News Desk

    Follow the latest breaking news, major developments and agenda-setting stories from India and around the world with the newsdesk at Hindustan Times. Operating round the clock, the desk brings together experienced editors, reporters and correspondents to deliver fast, accurate and contextual reporting across subjects that influence public policy, governance, business, society and international affairs. The HT News Desk covers politics, elections, government policies, the economy, business and markets, science and technology, the environment, law and order, infrastructure, education, climate issues and geopolitics, while closely tracking developments across states, institutions and global capitals. The team also leads coverage of major breaking news events, policy announcements, court proceedings, natural disasters, public emergencies and significant international developments. Reports published by the newsdesk are based on information gathered from reporters on the ground, official statements, government agencies, court records, regulatory filings, recognised institutions and other authoritative sources. Stories undergo editorial scrutiny and verification processes to ensure accuracy, fairness and relevance, and are updated as events evolve and additional information becomes available. Whether covering a key political decision in New Delhi, an economic policy shift affecting millions, a landmark court ruling or a major global event, the HT News Desk aims to provide readers with reliable, fact-based journalism that delivers not only the latest developments but also the context and analysis needed to understand their wider implications.Read More