Big tech firm Microsoft has accidentally leaked 38TB of sensitive data since July 2020, a new finding has shown. Discovered by cloud security firm Wiz and published this week, the leak reportedly happened while the artificial intelligence division was contributing to open-source models to a public GitHub repository. The security firm also suspects that an attacker could have injected malicious code into all AI models in the compromised storage account, thereby impacting users too.
Wiz reported that a Microsoft employee mistakenly shared the URL for a misconfigured Azure storage bucket which has the leaked information. “Our scan shows that this account contained 38TB of additional data — including Microsoft employees’ personal computer backups. The backups contained sensitive personal data, including passwords to Microsoft services, secret keys, and over 30,000 internal Microsoft Teams messages from 359 Microsoft employees,” a Wiz blog noted.
The URL allowed access to the entire storage account and exposed additional data. Since the URL gave a view access but also granted full control permission, it allowed attackers to view, delete, and overwrite existing files. It may be, however, noted that the Azure storage account was a private account and not directly exposed to the public. This is because Microsoft developers use a mechanism called SAS tokens that allow the creation of shareable links for account data access, but it would still seem private upon inspection.
Earlier this month, Microsoft also announced that Chinese hackers stole a signing key to breach the US government email accounts after compromising a Microsoft engineer’s work account. The attackers used the keys to breach the Exchange Online and Azure Active Directory (AD) accounts of agencies like the US State and Commerce Departments.