Microsoft accidentally shared 38TB of sensitive data on GitHub

"No customer data was exposed, and no other internal services were put at risk because of this issue," said Microsoft

In an effort to share open-source code and AI models with other researchers, a team of Microsoft AI researchers inadvertently ended up exposing 38TB of personal company data on GitHub.

In a report shared by cybersecurity firm Wiz, the exposed data included passwords to Microsoft services, secret keys and thousands of internal Teams messages from 359 Microsoft employees.

Microsoft’s researchers included a link to download pre-trained models from their Azure Storage account using a feature called “SAS tokens,” which allows users to share data with others. However, the link they shared gave access to their entire storage account, not just the models they intended to share.

Additionally, if someone were to breach the sensitive data, they could not just read the files but also delete and overwrite them, changing them in real-time in Microsoft’s storage account.

The link was discovered by Wiz on June 22nd, and Microsoft subsequently revoked the token for the link by June 24th. “No customer data was exposed, and no other internal services were put at risk because of this issue. No customer action is required in response to this issue,” wrote Microsoft in a blog post about the incident. “Additional investigation then took place to understand any potential impact to our customers and/or business continuity. Our investigation concluded that there was no risk to customers as a result of this exposure.”

Here’s a timeline of the events:

  • July 20th, 2020 SAS token first committed to GitHub; expiry set to Oct. 5th, 2021
  • October 6th, 2021 – SAS token expiry updated to October 6th, 2051
  • June 22nd, 2023 – Wiz Research finds and reports issue to MSRC
  • June 24th, 2023 – SAS token invalidated by Microsoft
  • July 7th, 2023 – SAS token replaced on GitHub
  • August 16th, 2023 – Microsoft completes internal investigation of potential impact
  • September 18th, 2023 – Public disclosure

Read the full report here.

Source: Microsoft, Wiz Via: Engadget