Skip to main content
  1. Home
  2. Computing
  3. News

Microsoft accidentally released 38TB of private data in a major leak

By

It’s just been revealed that Microsoft researchers accidentally leaked 38TB of confidential information onto the company’s GitHub page, where potentially anyone could see it. Among the data trove was a backup of two former employees’ workstations, which contained keys, passwords, secrets, and more than 30,000 private Teams messages.

According to cloud security firm Wiz, the leak was published on Microsoft’s artificial intelligence (AI) GitHub repository and was accidentally included in a tranche of open-source training data. That means visitors were encouraged to download it, meaning it could have fallen into the wrong hands again and again.

A large monitor displaying a security hacking breach warning.
Stock Depot / Getty Images

Data breaches can come from all kinds of sources, but it will be particularly embarrassing for Microsoft that this one originated with its own AI researchers. The Wiz report states that Microsoft uploaded the data using Shared Access Signature (SAS) tokens, an Azure feature, that lets users share data through Azure Storage accounts.

Recommended Videos

Visitors to the repository were told to download the training data from a provided URL. However, the web address granted access to much more than just the planned training data, and allowed users to browse files and folders that were not intended to be publicly accessible.

Related

Full control

A person using a laptop with a set of code seen on the display.
Sora Shimazaki / Pexels

It gets worse. The access token that allowed all this was misconfigured to provide full control permissions, Wiz reported, rather than more restrictive read-only permissions. In practice, that meant that anyone who visited the URL could delete and overwrite the files they found, not merely view them.

Wiz explains that this could have had dire consequences. As the repository was full of AI training data, the intention was for users to download it and feed it into a script, thereby improving their own AI models.

Yet because it was open to manipulation thanks to its wrongly configured permissions, “an attacker could have injected malicious code into all the AI models in this storage account, and every user who trusts Microsoft’s GitHub repository would’ve been infected by it,” Wiz explains.

Potential disaster

A digital depiction of a laptop being hacked by a hacker.
Digital Trends

The report also noted that the creation of SAS tokens – which grant access to Azure Storage folders such as this one – does not create any kind of paper trail, meaning “there is no way for an administrator to know this token exists and where it circulates.” When a token has full-access permissions like this one did, the results can be potentially disastrous.

Fortunately, Wiz explains that it reported the issue to Microsoft in June 2023. The leaky SAS token was replaced in July, and Microsoft completed its internal investigation in August. The security lapse has only just been reported to the public to allow time to fully fix it.

It’s a reminder that even seemingly innocent actions can potentially lead to data breaches. Luckily the issue has been patched, but it’s unknown whether hackers gained access to any of the sensitive user data before it was removed.

Editors’ Recommendations

Topics
Alex Blake
Alex Blake
Computing Writer
Alex Blake has been working with Digital Trends since 2019, where he spends most of his time writing about Mac computers…
Huge leak reveals Microsoft’s new laptops coming next week
Leaked renderings of the Microsoft Surface Laptop Go 3, showing two laptops intersecting over each other.

We’re just a week away from Microsoft’s upcoming Surface event, yet a plethora of renders and information have just leaked out, spilling the beans on a new Surface Laptop Studio 2, updates to the Surface Laptop Go 3, and an all-new Surface Go 4.

According to the German website WinFuture (via OnMSFT), this information was gleaned from third-party retailers who have already been provided with official data from Microsoft. It’s a slip-up Microsoft would rather have avoided so close to launch day.

Read more
Microsoft says bizarre travel article was not created by ‘unsupervised AI’
Microsoft logo

According to a recent article posted by Microsoft Travel on microsoft.com, attractions worth checking out on a visit to the Canadian capital of Ottawa include the National War Memorial, Parliament Hill, Fairmont Château Laurier, Ottawa Food Bank ... hang on, Ottawa Food Bank?

Spotted in recent days by Canada-based tech writer Paris Marx, the article puts Ottawa Food Bank at number 3 in a list of 15 must-see places in the city. And as if that wasn't bad enough, the accompanying description even suggests visiting it “on an empty stomach.”

Read more
Microsoft ‘special event’ set for September – Surfaces and AI announcements likely
microsoft

Microsoft has announced it will be holding what it describes as a “special event” in New York City on Thursday, September 21, though at the current time, it’s giving little away on what it’s about.

The expectation is that the tech giant will unveil some new products, though at this point it’s only possible to speculate. In that case, updates to its Surface hardware could certainly be incoming, including for its flagship Surface Laptop Studio, which launched two years ago and is therefore due for a refresh.

Read more