News
NEW
Microsoft AI team's oversight results in 38 TB data exposure
Microsoft AI Team's 38 TB Data Exposure

Published September 21, 2023
by Jivika Lillaney

min read

Summary

    This week, Microsoft AI faced a data leak that exposed tens of terabytes of sensitive data, including private keys and passwords and over 30,000 internal Microsoft Teams messages, while publishing open-source training data on GitHub. Wiz, a security vendor for Microsoft AI, helped discover this data exposure. 

    The incident occurred when researchers shared files using shared access signature (SAS) tokens on GitHub. These tokens were misconfigured, allowing access to the entire storage account instead of just the necessary files and with "full control" permissions rather than "read-only." Repository visitors were instructed to obtain the training data from a specified URL. However, this web address unintentionally provided access to a broader range of files and directories, permitting users to explore content that was not originally meant to be available to the public.

    Wiz found the exposed data during routine internet scans, and the publicly accessible SAS token had been available on GitHub for three years. 

    “A threat actor would not need deep technical expertise to gain access to this data. It could have been discovered and exploited by practically anyone”

    -Shir Tamari, Head of Research at Wiz (Source: TechTarget

    Microsoft clarified that no customer data was compromised, and the exposure affected no other internal services. The misconfigured SAS token and data exposure are part of a series of incidents following the Storm-0558 attacks, where a China-based threat actor compromised the email systems of 25 customers, including federal government agencies. Microsoft disclosed that the attackers exploited a token validation issue, which has since been corrected.

    "Due to a lack of monitoring and governance, SAS tokens pose a security risk, and their usage should be as limited as possible. These tokens are very hard to track, as Microsoft does not provide a centralized way to manage them within the Azure portal"

    -Hillai Ben-Sasson and Ronny Greenberg, Security Researchers (Source: Wiz)

    Microsoft has expanded GitHub's secret spanning service to monitor open-source code changes for credential exposure. Wiz additionally gave some takeaways for future practice in which security teams should be more involved in the AI research and development process. 

    As AI models become more widely used in organizations, raising awareness about pertinent security threats at each stage of AI development becomes crucial. Collaboration between security and data science/research teams is essential to establish appropriate safeguards.

    What are your views on the future of AI in big tech companies? Join the conversation in our Yes We Trust community, a free discussion group for data privacy professionals and enthusiasts, on LinkedIn:

    Go to the Yes We Trust community

    Related Articles
    Our freshest data privacy content for you
    • News

    Tesla’s insider wrongdoing leads to data breach of 75000 employees│Yes We Trust

    August 29, 2023 by Jivika Lillaney

    The data of 75,000 Tesla employees leaked

    Read Article

    • News

    Elon Musk's leadership under scrutiny │Yes We Trust

    September 14, 2023 by Jivika Lillaney

    Elon Musk's leadership under scrutiny

    Read Article

    • News

    Chinese e-commerce platforms under the radar for privacy concerns│Yes We Trust

    August 14, 2023 by Jivika Lillaney

    Chinese e-commerce platforms under the radar for privacy concerns

    Read Article

    • News

    Tech giants seek 12-18 months extension for data compliance in India│Yes We Trust

    November 6, 2023 by Jivika Lillaney

    Tech giants seek 12-18 months extension for data compliance in India

    Read Article

    • News

    iOS 17 unveils advanced security and privacy options │ Yes We Trust

    September 25, 2023 by Jivika Lillaney

    iOS 17 Unveils Advanced Security and Privacy Options

    Read Article

    • News

    Google's Bard is now available - unless you're in the EU or Canada | Yes We Trust

    May 16, 2023 by Yes We Trust

    Read Article