Wiz, a company specializing in cloud data protection and founded by former Microsoft engineers, has identified a significant data breach caused by one of Microsoft’s employees. During an update related to AI materials on GitHub, the employee accidentally made 38 TB of confidential data publicly accessible. This data included private keys, passwords, and more than 30,000 internal messages from Microsoft Teams.
According to Wiz, this issue was discovered during routine internet scanning aimed at detecting misconfigured containers.
“We found a GitHub repository managed by Microsoft named ‘robust-models-transfer.’ This repository belongs to Microsoft’s research division on artificial intelligence, with the goal of providing open-source source code and AI models for image recognition,” explained the researchers.
It turns out that in 2020, Microsoft used Azure SAS (Shared Access Signature) tokens for data transfer, allowing information to be shared from Azure Storage accounts. While access levels could be restricted to specific files, in this case, the link was misconfigured to grant access to the entire storage account, including 38 TB of personal files.
“This URL provided access not only to open-source models for AI training but was configured to grant access to the entire Azure Storage account, inadvertently exposing personal data,” said representatives from Wiz.
As a result of the scanning, it was revealed that the compromised account contained 38 TB of information, including backups from Microsoft employees’ personal computers.
“The backups contained confidential personal data, including passwords for Microsoft services, secret keys, and more than 30,000 Microsoft Teams internal messages from 359 Microsoft employees,” the researchers calculated.
Furthermore, the mentioned token was misconfigured, granting not only read access but also allowing anyone, including potential malicious actors, to delete and overwrite existing files.
“A malicious actor could have injected malicious code into all AI models in this Storage account, and every user subsequently relying on Microsoft’s GitHub repository would have been compromised,” warned Wiz.
In their report, Wiz specialists emphasized that SAS tokens, in general, pose a serious security threat due to the lack of monitoring and management, and their usage should be strictly limited. They noted that such tokens are challenging to track because Microsoft does not provide a centralized way to manage them within the Azure portal. Additionally, these tokens can be configured to have effectively unlimited lifespans with no upper limit.
According to Wiz, Microsoft engineers revoked the SAS token within two days after being informed of the issue in June of this year. A month later, the token was replaced on GitHub.
Microsoft representatives have already stated that this data breach did not expose customer data, and no internal services of the company were put at risk due to the incident.