Unintentional data leak

It was recently revealed that researchers at Microsoft's AI department accidentally exposed several terabytes of sensitive data. This happened when a memory bucket with open source training data was published on GitHub.

The discovery of the leak

Cloud security startup Wiz stumbled upon the accidental disclosure of cloud-hosted data via a GitHub repository owned by Microsoft's AI research division. What began as a simple deployment of open source code and AI models for image recognition quickly turned into a nightmare for Microsoft's security team.

The extent of the data leak

Upon accessing the provided Azure storage URL, Wiz discovered that it was configured to grant permissions to the entire storage account. This led to the unintended exposure of 38 terabytes of sensitive data. Among the exposed data were personal backups from two Microsoft employee computers, passwords for Microsoft services, secret keys and thousands of internal Microsoft Teams messages.

The root of the problem

It turned out that the problem was not directly related to the storage account, but to a SAS (Shared Access Signature) token that was included in the URL and was too permissive. SAS tokens are an Azure mechanism that allows users to share data from an Azure storage account.

The consequences and Microsoft's reaction

After Wiz shared his findings with Microsoft on June 22, the SAS token was withdrawn by Microsoft on June 24. After the investigation was completed in August, Microsoft emphasized that no customer data had been exposed. In direct response to this discovery, Microsoft has also improved the GitHub Privacy Service to ensure that such incidents are avoided in the future.

Conclusions

This incident highlights the growing challenges in cybersecurity, especially in an era dominated by AI and cloud technologies. It is a wake-up call for companies to rethink their security protocols and ensure that human error does not lead to serious data breaches.