Microsoft data breach: 38 terabytes of data publicly available online

38 TB of internal Microsoft data is publicly available on Github. The error was not discovered until three years later by outside security researchers.

AI firm Microsoft has inadvertently exposed a large amount of private data on its software development platform GitHub, security firm Wiz has highlighted. For three years, 38 terabytes of internal data remained unencrypted and unnoticed.

A team from cloud security company Wiz discovered the exposure of cloud-hosted data on an AI training platform via a misconfigured link in June last year. According to Wiz, the data was shared by the Microsoft research team when publishing open source training data on GitHub.

Repository users were prompted to download the AI ​​models from a cloud storage URL. However, the URL is misconfigured to grant permissions to the entire storage account. Accordingly, the SAS token (Shared Access Signature) was provided in error. This is the location URL that grants access to data from Azure Storage accounts. “The user can customize the level of access; permissions range from read-only to full control, while scope can be either a single file, a container, or an entire storage account,” security researchers said. This also gives the user full control rights, rather than just read rights. , meaning it can delete and overwrite existing files, Wiz security researchers wrote in a blog post.Wiz said the exposed data included backups of Microsoft employees’ personal computers, which included passwords to Microsoft services, secret keys, and more than 30,000 Microsoft Teams messages. Internal to 359 Microsoft employees.

Publicly sharing data is a key component of AI training, but sharing larger amounts of data puts companies at greater risk if it is shared incorrectly, researchers say. Wiz shared the data with Microsoft in June, which then promptly removed the exposed data, said Amy Luttwak, Wiz’s chief technology officer and co-founder, adding that the incident “could have been worse.”

Customer details were not disclosed

When asked, a Microsoft spokesperson said: “We have confirmed that no customer data was exposed and no other internal services were compromised.”

In a blog post published on Monday, Microsoft said it investigated and resolved an incident involving a Microsoft employee who shared the URL of open source AI learning models in a public GitHub repository. Microsoft said the data disclosed in the storage account included backups of workplace profiles of two former employees and internal Microsoft Teams messages from those two employees with their colleagues.

The data cache was found by the Wiz research team, searching the Internet for misconfigured storage containers. The blog says this is part of its ongoing work on accidental disclosure of data hosted in the cloud. Wiz researchers stress that this example shows how insecure it is to use SAS tokens for external sharing and should therefore be avoided. In addition, there is no option for central management and it is difficult to track. (Bloomberg/Bajri)