A Microsoft worker’s inadvertent mistake led to the publicity of a large 38 terabytes of delicate knowledge on GitHub, a well-liked platform for open-source tasks. This safety blunder was found by Wiz safety researchers, who promptly reported the problem to Microsoft.
The incident occurred when the Microsoft worker was publishing a repository containing open-source AI coaching knowledge on GitHub. Within this repository, there was a URL linked to an inside Azure storage account owned by Microsoft. Unfortunately, the URL was outfitted with a very permissive Shared Access Signature (SAS) token, granting full management over the Azure storage sources.
The uncovered knowledge contained private pc backups, reportedly belonging to 2 former Microsoft staff.
The Leaked Data Included Sensitive Information
This lapse in safety not solely allowed the Wiz safety staff however probably malicious actors as nicely, to entry, modify, or delete recordsdata throughout the storage account. The compromised knowledge included delicate data equivalent to passwords for Microsoft providers, secret keys, and over 30,000 inside Microsoft Teams messages exchanged by 359 Microsoft staff.
Additionally, the uncovered knowledge contained private pc backups, reportedly belonging to 2 former Microsoft staff.
Despite the magnitude of the breach, Microsoft downplayed its severity, emphasizing that no buyer knowledge or inside providers have been compromised, and no additional motion was required from prospects. The firm took swift motion by revoking the SAS token on June 22 and fixing the leak by June 24.
“Additional investigation then took place to understand any potential impact to our customers and/or business continuity […]” “Our investigation concluded that there was no risk to customers as a result of this exposure.”
In response to the incident, Microsoft advisable finest practices for managing SAS tokens to reduce dangers, together with limiting URLs to important sources, limiting permissions to the minimal crucial, and setting shorter expiration instances for SAS URLs.
This incident highlights the significance of sturdy safety measures and correct configuration of entry controls, even inside giant organizations like Microsoft. It serves as a reminder of the continuing challenges in safeguarding delicate knowledge and the necessity for steady enchancment in safety practices. Microsoft pledged to reinforce its detection and scanning instruments to proactively establish and tackle comparable points sooner or later.
Filed in . Read extra about Microsoft and Privacy.