Your Privacy Hub

Yes We Trust moves to Didomi

We are excited to share that going forward, Yes We Trust content will be incorporated into Didomi, where we will continue to post relevant, educational content that helps you make sense of data privacy today, including out flagship newsletter and opinion pieces. Thank you for your continued support and see you there!

    • company-news
    • industry-news

    Published on September 21, 2023 last updated on September 21, 2023

    Microsoft AI team's oversight results in 38 TB data exposure

    This week, Microsoft AI faced a data leak that exposed tens of terabytes of sensitive data, including private keys and passwords and over 30,000 internal Microsoft Teams messages, while publishing open-source training data on GitHub. Wiz, a security vendor for Microsoft AI, helped discover this data exposure. 

    The incident occurred when researchers shared files using shared access signature (SAS) tokens on GitHub. These tokens were misconfigured, allowing access to the entire storage account instead of just the necessary files and with "full control" permissions rather than "read-only." Repository visitors were instructed to obtain the training data from a specified URL. However, this web address unintentionally provided access to a broader range of files and directories, permitting users to explore content that was not originally meant to be available to the public.

    Wiz found the exposed data during routine internet scans, and the publicly accessible SAS token had been available on GitHub for three years. 

    “A threat actor would not need deep technical expertise to gain access to this data. It could have been discovered and exploited by practically anyone”

    -Shir Tamari, Head of Research at Wiz (Source: TechTarget

    Microsoft clarified that no customer data was compromised, and the exposure affected no other internal services. The misconfigured SAS token and data exposure are part of a series of incidents following the Storm-0558 attacks, where a China-based threat actor compromised the email systems of 25 customers, including federal government agencies. Microsoft disclosed that the attackers exploited a token validation issue, which has since been corrected.

    "Due to a lack of monitoring and governance, SAS tokens pose a security risk, and their usage should be as limited as possible. These tokens are very hard to track, as Microsoft does not provide a centralized way to manage them within the Azure portal"

    -Hillai Ben-Sasson and Ronny Greenberg, Security Researchers (Source: Wiz)

    Microsoft has expanded GitHub's secret spanning service to monitor open-source code changes for credential exposure. Wiz additionally gave some takeaways for future practice in which security teams should be more involved in the AI research and development process. 

    As AI models become more widely used in organizations, raising awareness about pertinent security threats at each stage of AI development becomes crucial. Collaboration between security and data science/research teams is essential to establish appropriate safeguards.

    What are your views on the future of AI in big tech companies? Join the conversation in our Yes We Trust community, a free discussion group for data privacy professionals and enthusiasts, on LinkedIn:

    Go to the Yes We Trust community

    avatar Jivika Lillaney

    Jivika Lillaney

    Content writer at Didomi. I am a digital creator who loves to explore the world and tick off things on my bucket list!