Microsoft’s Oops Moment – Accidental 38TB Data Leak by AI Team

microsoft s oops moment accidental 38tb data leak by ai team.jpg Technology

In a shocking revelation, Microsoft’s AI research team reportedly exposed a colossal 38 terabytes of the company’s private data, marking a significant misstep in the tech giant’s data management. This inadvertent leak was discovered by cloud security company Wiz, who detailed in a recent report that the exposed data included complete backups of two Microsoft employees’ computers, passwords to Microsoft services, secret keys, and an astonishing 30,000 internal Microsoft Teams messages from over 350 employees.

The leak was traced back to Microsoft’s AI team, who, in an effort to share training data containing open-source code and AI models for image recognition, inadvertently gave users complete access to an entire Azure storage account. This meant that anyone who stumbled upon the Github repository link provided by Microsoft could not only view but also upload, overwrite, or delete files. Wiz attributes this to the misuse of an Azure feature called Shared Access Signature (SAS) tokens, which are designed to grant access to Azure Storage data. Alarmingly, Wiz suggests that this data has been exposed since 2020.


Microsoft Accidentally Leaks 38TB of Private Data

In a recent turn of events, Microsoft’s Artificial Intelligence research team unintentionally exposed a colossal 38 terabytes of the company’s sensitive data, as reported by cloud security firm Wiz. The data leak included complete backups of two employees’ computers, revealing passwords to Microsoft services, secret keys, and over 30,000 internal Microsoft Teams messages from more than 350 employees.

How Did It Happen?

The leak occurred when Microsoft’s AI researchers uploaded a set of training data to a Github repository. This data contained open-source code and AI models for image recognition. Users who stumbled upon the repository were directed to a download link from Azure, Microsoft’s cloud storage service. However, the link provided by the team gave users unrestricted access to the entire Azure storage account.

This blunder allowed visitors not only to view everything in the account but also to upload, overwrite, or even delete files. According to Wiz, the incident occurred due to an Azure feature known as Shared Access Signature (SAS) tokens – a kind of signed URL that provides access to Azure Storage data. Regrettably, the link used was configured with full access, rather than restricting access to specific files.

Potential Issues and Resolution

The situation is further complicated by Wiz’s discovery that the data has likely been exposed since 2020. Wiz alerted Microsoft to the issue on June 22 of this year, prompting Microsoft to invalidate the SAS token and close the vulnerability two days later. An investigation into the potential impacts was also carried out and completed by Microsoft in August.

In a statement to TechCrunch, Microsoft assured that “no customer data was exposed, and no other internal services were put at risk because of this issue.”

Takeaways

This incident highlights the significance of stringent security measures and careful management of access permissions, even within large, experienced tech companies like Microsoft. It is a potent reminder of the potential risks and vulnerabilities associated with cloud storage and data sharing. Companies must regularly update and review their security protocols, paying special attention to features like SAS tokens, to prevent such incidents from occurring.

Crive - News that matters