Microsoft’s AI Research Division has been leaking 38TB worth of sensitive data for over three years!
Discovered by a security researcher, the leak started back in July 2020 and was due a Microsoft employee inadvertently sharing the URL for a misconfigured Azure Blob storage bucket. The shared URL was using an excessively permission Shared Access Signature token which the security researcher described as challenging to monitor and revoke. The Shared Access Signature token allowed full control over the shared files and have no limit on their expiry or scope. The 38TB worth of exposed sensitive data included backups of personal information belonging to Microsoft employees, including passwords for Microsoft services, secret keys and an archive of over 30,000 internal Microsoft Teams messages originating from 359 Microsoft employees. Microsoft has since revoked the Shared Access Signature token and said that no customer data was exposed, and no other internal services faced jeopardy due to this incident.
This segment was created for the It’s 5:05 podcast