Oops, Microsoft left 38TB of sensitive data exposed for 3 years including internal Teams chats

Seems like the wrong box was left ticked.

Seems like the wrong box was left ticked.

Even the smartest of boffins can trip up sometimes, and that’s exactly what happened after a member of Microsoft’s AI research team accidentally exposed 38TB of sensitive internal data after misconfiguring a link.

Wiz, a cloud security company that routinely looks for vulnerabilities or exposures of cloud-hosted data detailed the exposure on its blog (via ITWire). It found a GitHub repository belonging to Microsoft’s AI research division, hosting open-source code and AI models for image recognition. But that’s not all Wiz found.

A configuration error allowed anyone access the entire storage account, and this data included two complete PC backups belonging to Microsoft employees. According to Wiz, the data included “sensitive personal data, including passwords to Microsoft services, secret keys, and over 30,000 internal Microsoft Teams messages from 359 Microsoft employees.”

Furthermore, the files weren’t read-only. They could be rewritten or deleted at will. In fairness to Microsoft — and the employees, access to the files wasn’t completely public. Access was granted via an Azure sharing feature called a SAS token, which is a shareable link, but in this case it granted full access. Anyone with that link, which would include users looking to access the AI source code, would have had access.

Your next upgrade

(Image credit: Future)

Best CPU for gaming: The top chips from Intel and AMD.
Best gaming motherboard: The right boards.
Best graphics card: Your perfect pixel-pusher awaits.
Best SSD for gaming: Get into the game ahead of the rest.

What’s worse is that the data has been exposed since 2020. Microsoft was made aware of the exposure in June this year, meaning the data was available for three years.

Microsoft posted a lengthy statement on its own blog, stating “No customer data was exposed, and no other internal services were put at risk because of this issue. No customer action is required in response to this issue”.

That sounds fair, but internally there is sure to be a few red faces and breathless IT personnel running this way and that to change passwords and keys that were exposed. Just in case.

Kids, adults, gamers, and boffins alike, it’s important to configure your storage accounts correctly. You never know who might come sniffing.

About Post Author

See author's posts

Related

The Last Of Us Season 2 Pics, Fallout Player Nukes Phil Spencer, And More News

The Last Of Us Season 2 Pics, Fallout Player Nukes Phil Spencer, And More News

May 19, 2024
There’s a mod to fix Gale’s beard, making Baldur’s Gate 3 playable at last

There’s a mod to fix Gale’s beard, making Baldur’s Gate 3 playable at last

May 19, 2024

You may have missed

New Black Myth: Wukong trailer shows off explosive staff moves, daunting new bosses

New Black Myth: Wukong trailer shows off explosive staff moves, daunting new bosses

May 19, 2024
Daily Deals: Super Mario RPG, Dead Island 2, Persona 3 Reload

Daily Deals: Super Mario RPG, Dead Island 2, Persona 3 Reload

May 19, 2024
The Last Of Us Season 2 Pics, Fallout Player Nukes Phil Spencer, And More News

The Last Of Us Season 2 Pics, Fallout Player Nukes Phil Spencer, And More News

May 19, 2024
Bellingham gets shiny new EA FC 24 TOTS card—but not the one you’re thinking of

Bellingham gets shiny new EA FC 24 TOTS card—but not the one you’re thinking of

May 19, 2024
MOUZ sweep Spirit in BetBoom Dacha Belgrade grand final to take HLTV top spot for the first time ever

MOUZ sweep Spirit in BetBoom Dacha Belgrade grand final to take HLTV top spot for the first time ever

May 19, 2024
Gen.G breaks LPL stranglehold over MSI with historic win to secure Worlds spot

Gen.G breaks LPL stranglehold over MSI with historic win to secure Worlds spot

May 19, 2024