Microsoft AI researchers accidentally leaked 38TB internal data, including private keys, passwords and 30,000 internal Teams messages 03/15 Update SLTechnology News&Howtos

Microsoft AI researchers accidentally leaked 38TB internal data, including private keys, passwords and 30,000 internal Teams messages

2025-03-15 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > IT Information >

Shulou(Shulou.com)11/24 Report--

Thanks to CTOnews.com netizens, soft media users 1520111, Alejandro86 for the delivery of clues! CTOnews.com, Sept. 18 (Xinhua)-- Cloud Security startup Wiz Research announced today that a data leak was found in Microsoft AI's GitHub repository, caused by a misconfigured SAS token.

In terms of details, Microsoft's AI research team released open source training data on GitHub, but accidentally exposed other internal data of 38TB, including disk backups of the personal PC of several Microsoft employees. In this disk backup, it contains secrets, private keys, passwords and hundreds of Microsoft employees more than 30000 Microsoft Teams internal messages.

The GitHub repository provides open source code and AI models for image recognition, and visitors are required to download models from the Azure storage URL. However, Wiz found that the URL was configured to grant permissions to the entire storage account, thus mistakenly exposing other private data.

The URL allegedly exposed the data since 2020, and the URL was misconfigured to allow "full control" rather than "read-only" access, meaning that anyone who knows where to view could delete, replace and inject malicious content into it.

Wiz said it reported the problem to Microsoft on June 22, and on June 24, two days later, Microsoft announced the revocation of the SAS token. Microsoft said it completed a survey of potential organizational impact on Aug. 16.

The specific timeline of the whole event is as follows:

July 20, 2020-SAS tokens are first submitted to GitHub; with an expiration date of October 5, 2021

October 6, 2021-SAS token expiration date updated to October 6, 2051

June 22, 2023-Wiz Research discovers a problem and reports it to Microsoft

June 24, 2023-Microsoft declares SAS token invalid

July 7, 2023-SAS token replaced on GitHub

August 16, 2023-Microsoft completes internal investigation into potential impact

September 18, 2023-Wiz Research publicly disclosed the matter

Referenc

38TB of data accidentally exposed by Microsoft AI researchers

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.