Microsoft mishap leaves 38TB of private data exposed for three years

Microsoft Azure logo on a smartphone in front of a blue background
(Image credit: Getty Images)

Up to 38TB of sensitive company information was accidentally leaked by Microsoft AI staffers due to a misconfigured Azure SAS token, according to new research. 

Analysis from researchers at cloud security firm Wiz found that Microsoft’s AI research team uploaded an overly permissive URL to its GitHub repository which directed anyone to access the trove of what should be private data.

Data exposed in the mishap included full backups of two employee work devices, both of which contained data including passwords to Microsoft services, private keys, and records of more than 30,000 internal Microsoft Teams messages. 

As part of its activity on the platform, Microsoft’s AI research team regularly provides links to open source training data for the community to use, but the link in question led to an Azure Storage bucket which was misconfigured, allowing access to more private data.

Researchers at the tech giant were found to have shared files using Azure Shared Access Signature (SAS) tokens, which enable users to access and share data from the service’s storage accounts. 

Typically, SAS tokens prevent unauthorized users from accessing files. However, in this instance a URL to stored data was configured to grant permission to the entire account, Wiz found. 

“The [Microsoft] researchers shared their files using an Azure feature called SAS tokens, which allows you to share data from Azure Storage accounts,” Wiz’s team said. 

“The access level can be limited to specific files only; however, in this case, the link was configured to share the entire storage account – including another 38TB of private files.”

Infographic detailing how the data was exposed via a GitHub repository

(Image credit: Wiz)

The investigation from Wiz found that the initial mishap occurred in July 2020 and went unnoticed for nearly three years, although Wiz only made the discovery in June 2023.

Researchers informed Microsoft of the issue after making the discovery. Microsoft then conducted an investigation into the potential risk to customers. 

Microsoft said in a statement this week there was no evidence that customer data was exposed. Similarly, the firm said that “no other internal services were put at risk because of the issue”. 

“A researcher at Microsoft inadvertently included this SAS token in a blob store URL while contributing to open source AI learning models and provided the URL in a public GitHub repository,” Microsoft confirmed.  

“There was no security issue or vulnerability within Azure Storage or the SAS token feature.” 

RELATED RESOURCE

Webinar screen with title, logos, and contributor images

(Image credit: Cloudflare)

Watch this on-demand webinar and learn how multi-cloud environment accelerate network transformation initiatives

WATCH FOR FREE

Wiz said the incident highlights the need for more robust governance and monitoring practices with regard to SAS tokens. 

Researchers noted that Microsoft does not offer a “centralized way” to manage tokens, which presents security risks due to the difficulties teams may have in tracking them. 

“Due to a lack of monitoring and governance, SAS tokens pose a security risk, and their usage should be as limited as possible,” Wiz said. “These tokens are very hard to track, as Microsoft does not provide a centralized way to manage them within the Azure portal.”

“In addition, these tokens can be configured to last effectively forever, with no upper limit on their expiry time. Therefore, using Account SAS tokens for external sharing is unsafe and should be avoided.”

Microsoft said the incident has prompted a reassessment of SAS token management processes. 

“We are making ongoing improvements to further harden the SAS token feature and continue to evaluate the service to bolster our secure-by-default posture,” the firm said.

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.