Microsoft mishap leaves 38TB of private data exposed for three years

Up to 38TB of sensitive company information was accidentally leaked by Microsoft AI staffers due to a misconfigured Azure SAS token, according to new research. 

Analysis from researchers at cloud security firm Wiz found that Microsoft’s AI research team uploaded an overly permissive URL to its GitHub repository which directed anyone to access the trove of what should be private data.

Data exposed in the mishap included full backups of two employee work devices, both of which contained data including passwords to Microsoft services, private keys, and records of more than 30,000 internal Microsoft Teams messages. 

As part of its activity on the platform, Microsoft’s AI research team regularly provides links to open source training data for the community to use, but the link in question led to an Azure Storage bucket which was misconfigured, allowing access to more private data.

Researchers at the tech giant were found to have shared files using Azure Shared Access Signature (SAS) tokens, which enable users to access and share data from the service’s storage accounts. 

Typically, SAS tokens prevent unauthorized users from accessing files. However, in this instance a URL to stored data was configured to grant permission to the entire account, Wiz found. 

“The [Microsoft] researchers shared their files using an Azure feature called SAS tokens, which allows you to share data from Azure Storage accounts,” Wiz’s team said. 

“The access level can be limited to specific files only; however, in this case, the link was configured to share the entire storage account – including another 38TB of private files.”

The investigation from Wiz found that the initial mishap occurred in July 2020 and went unnoticed for nearly three years, although Wiz only made the discovery in June 2023.

Researchers informed Microsoft of the issue after making the discovery. Microsoft then conducted an investigation into the potential risk to customers. 

Microsoft said in a statement this week there was no evidence that customer data was exposed. Similarly, the firm said that “no other internal services were put at risk because of the issue”. 

“A researcher at Microsoft inadvertently included this SAS token in a blob store URL while contributing to open source AI learning models and provided the URL in a public GitHub repository,” Microsoft confirmed.  

“There was no security issue or vulnerability within Azure Storage or the SAS token feature.” 

Wiz said the incident highlights the need for more robust governance and monitoring practices with regard to SAS tokens. 

Researchers noted that Microsoft does not offer a “centralized way” to manage tokens, which presents security risks due to the difficulties teams may have in tracking them. 

“Due to a lack of monitoring and governance, SAS tokens pose a security risk, and their usage should be as limited as possible,” Wiz said. “These tokens are very hard to track, as Microsoft does not provide a centralized way to manage them within the Azure portal.”

“In addition, these tokens can be configured to last effectively forever, with no upper limit on their expiry time. Therefore, using Account SAS tokens for external sharing is unsafe and should be avoided.”

Microsoft said the incident has prompted a reassessment of SAS token management processes. 

“We are making ongoing improvements to further harden the SAS token feature and continue to evaluate the service to bolster our secure-by-default posture,” the firm said.