In a shocking turn of events, a Microsoft employee inadvertently made a colossal data blunder, resulting in the exposure of a whopping 38 terabytes of private data. The incident occurred during the publication of an open-source AI training data bucket on GitHub, raising serious concerns about data security. Wiz security researchers were quick to spot the leaky account and promptly reported it to the tech giant.
However, Microsoft’s response may leave you both surprised and concerned.
The Unveiling of a Data Breach
Redmond, in a statement released on a fateful Monday, downplayed the incident, claiming that they were merely “sharing the learnings” to help customers avoid making similar mistakes.
This was in stark contrast to Wiz’s findings, which pointed to the exposed data containing private keys, passwords, and over 30,000 internal Microsoft Teams messages, along with backup data from two former employees’ workstations.
Microsoft Security Response Center (MSRC) defended the situation, stating, “No customer data was exposed, and no other internal services were put at risk because of this issue. No customer action is required in response to this issue.”
Wiz researchers, Hillai Ben-Sasson and Ronny Greenberg, elucidated the sequence of events in their report. While conducting scans for misconfigured storage containers, they stumbled upon a GitHub repository owned by the Microsoft AI research team.
This repository was intended to provide open-source code and machine learning models for image recognition, but it held an alarming secret.
Within this repository, the researchers found a URL with an overly-permissive Shared Access Signature (SAS) token for a Microsoft-owned internal Azure storage account, housing private data.
A SAS token is essentially a signed URL that grants access to Azure Storage resources, with customizable permission levels. In this case, the SAS token was shockingly misconfigured, granting full-control permissions.
The Consequences of a Misconfigured SAS Token
This glaring oversight not only allowed the Wiz research team access to everything in the storage account but also gave them the power to potentially delete or alter existing files.
As Ben-Sasson and Greenberg noted, “Our scan shows that this account contained 38TB of additional data — including Microsoft employees’ personal computer backups.”
The backups contained highly sensitive personal data, including passwords to Microsoft services, secret keys, and a treasure trove of over 30,000 internal Microsoft Teams messages, originating from 359 Microsoft employees.
Microsoft attempted to mitigate the damage by swiftly revoking the SAS token on June 22, upon being notified of the exposure, and effectively sealing the leak by June 24. They also clarified that the personal computer backups belonged to two former employees.
Conclusion
This incident serves as a stark reminder of the critical importance of robust data security measures in an age where data breaches can have far-reaching consequences. While Microsoft may have downplayed the severity of the situation, the potential repercussions of exposing such a vast amount of sensitive data are cause for concern.
It underscores the need for organizations, regardless of their size or stature, to remain vigilant and proactive in safeguarding sensitive information from prying eyes.
We hope you’ve enjoyed this blog. Be sure to watch out for our future weekly blog releases and thanks for reading!
