Skip to main content
  1. Home
  2. Computing
  3. News

Microsoft accidentally released 38TB of private data in a major leak

By

It’s just been revealed that Microsoft researchers accidentally leaked 38TB of confidential information onto the company’s GitHub page, where potentially anyone could see it. Among the data trove was a backup of two former employees’ workstations, which contained keys, passwords, secrets, and more than 30,000 private Teams messages.

According to cloud security firm Wiz, the leak was published on Microsoft’s artificial intelligence (AI) GitHub repository and was accidentally included in a tranche of open-source training data. That means visitors were encouraged to download it, meaning it could have fallen into the wrong hands again and again.

A large monitor displaying a security hacking breach warning.
Stock Depot / Getty Images

Data breaches can come from all kinds of sources, but it will be particularly embarrassing for Microsoft that this one originated with its own AI researchers. The Wiz report states that Microsoft uploaded the data using Shared Access Signature (SAS) tokens, an Azure feature, that lets users share data through Azure Storage accounts.

Visitors to the repository were told to download the training data from a provided URL. However, the web address granted access to much more than just the planned training data, and allowed users to browse files and folders that were not intended to be publicly accessible.

Full control

A person using a laptop with a set of code seen on the display.
Sora Shimazaki / Pexels

It gets worse. The access token that allowed all this was misconfigured to provide full control permissions, Wiz reported, rather than more restrictive read-only permissions. In practice, that meant that anyone who visited the URL could delete and overwrite the files they found, not merely view them.

Wiz explains that this could have had dire consequences. As the repository was full of AI training data, the intention was for users to download it and feed it into a script, thereby improving their own AI models.

Yet because it was open to manipulation thanks to its wrongly configured permissions, “an attacker could have injected malicious code into all the AI models in this storage account, and every user who trusts Microsoft’s GitHub repository would’ve been infected by it,” Wiz explains.

Potential disaster

A digital depiction of a laptop being hacked by a hacker.
Digital Trends

The report also noted that the creation of SAS tokens – which grant access to Azure Storage folders such as this one – does not create any kind of paper trail, meaning “there is no way for an administrator to know this token exists and where it circulates.” When a token has full-access permissions like this one did, the results can be potentially disastrous.

Fortunately, Wiz explains that it reported the issue to Microsoft in June 2023. The leaky SAS token was replaced in July, and Microsoft completed its internal investigation in August. The security lapse has only just been reported to the public to allow time to fully fix it.

It’s a reminder that even seemingly innocent actions can potentially lead to data breaches. Luckily the issue has been patched, but it’s unknown whether hackers gained access to any of the sensitive user data before it was removed.

Editors' Recommendations

Topics
Alex Blake
Alex Blake
Computing Writer
In ancient times, people like Alex would have been shunned for their nerdy ways and strange opinions on cheese. Today, he…
81% think ChatGPT is a security risk, survey finds
A laptop screen shows the home page for ChatGPT, OpenAI's artificial intelligence chatbot.

ChatGPT has been a polarizing invention, with responses to the artificial intelligence (AI) chatbot swinging between excitement and fear. Now, a new survey shows that disillusionment with ChatGPT could be hitting new highs.

According to a survey from security firm Malwarebytes, 81% of its respondents are worried about the security and safety risks posed by ChatGPT. It’s a remarkable finding and suggests that people are becoming increasingly concerned by the nefarious acts OpenAI’s chatbot is apparently capable of pulling off.

Read more
Microsoft has a new way to keep ChatGPT ethical, but will it work?
Bing Chat shown on a laptop.

Microsoft caught a lot of flak when it shut down its artificial intelligence (AI) Ethics & Society team in March 2023. It wasn’t a good look given the near-simultaneous scandals engulfing AI, but the company has just laid out how it intends to keep its future efforts responsible and in check going forward.

In a post on Microsoft’s On the Issues blog, Natasha Crampton -- the Redmond firm’s Chief Responsible AI Officer -- explained that the ethics team was disbanded because “A single team or a single discipline tasked with responsible or ethical AI was not going to meet our objectives.”

Read more
Even Microsoft thinks ChatGPT needs to be regulated — here’s why
A MacBook Pro on a desk with ChatGPT's website showing on its display.

Artificial intelligence (AI) chatbots have been taking the world by storm, with the capabilities of Microsoft’s ChatGPT causing wonderment and fear in almost equal measure. But in an intriguing twist, even Microsoft is now calling on governments to take action and regulate AI before things spin dangerously out of control.

The appeal was made by BSA, a trade group representing numerous business software companies, including Microsoft, Adobe, Dropbox, IBM, and Zoom. According to CNBC, the group is advocating for the US government to integrate rules governing the use of AI into national privacy legislation.

Read more