Microsoft employees accidentally expose 38TB of internal data; company respond

Microsoft's AI analysis workforce by accident uncovered 38 terabytes of personal knowledge, together with delicate data like secrets and techniques,

Microsoft’s AI analysis workforce by accident uncovered 38 terabytes of personal knowledge, together with delicate data like secrets and techniques, non-public keys, passwords, and over 30,000 inner Microsoft Teams messages whereas sharing open-source coaching knowledge on GitHub, in keeping with cloud safety firm Wiz.

Microsoft stated no buyer knowledge was uncovered.

The publicity occurred as a result of the researchers used an Azure characteristic known as Shared Access Signature (SAS) tokens to share their recordsdata, however the entry degree was configured incorrectly. Instead of limiting entry to particular recordsdata, the hyperlink shared all the storage account, together with the extra 38TB of personal knowledge, the report stated.

Additionally, the token was misconfigured to permit “full control” permissions, thus “not only could an attacker view all the files in the storage account, but they could delete and overwrite existing files as well.”

Microsoft’s reply

Wiz reported its findings to Microsoft on June 22, main Microsoft to revoke the SAS token on June 24.

Microsoft accomplished its investigation and stated that no buyer knowledge or different Microsoft companies have been in danger because of this difficulty. Furthermore, it stated that clients needn’t take any extra motion for safety.

“No customer data was exposed, and no other internal services were put at risk because of this issue. No customer action is required in response to this issue,” it stated in a press release.

The tech large defined that the issue stemmed from a Microsoft researcher inadvertently together with the SAS token in a public GitHub repository whereas contributing to open-source AI studying fashions. Microsoft clarified that there was no safety difficulty or vulnerability inside Azure Storage or the SAS token characteristic.

To stop such incidents, Microsoft stated, it encourages customers to create and deal with SAS tokens appropriately and observe finest practices. It stated additionally it is actively enhancing its detection and scanning instruments to establish circumstances of over-provisioned SAS URLs and improve their secure-by-default posture.

  • ABOUT THE AUTHOR

    Follow the newest breaking news and developments from India and world wide with Hindustan Times’ newsdesk. From politics and insurance policies to the financial system and the setting, from native points to nationwide occasions and international affairs, we have you coated. …view element

Source: www.hindustantimes.com

Like this post? Please share to your friends: