A Microsoft employee’s inadvertent mistake led to the exposure of a massive 38 terabytes of sensitive data on GitHub, a popular platform for open-source projects. This security blunder was discovered by Wiz security researchers, who promptly reported the issue to Microsoft.
The incident occurred when the Microsoft employee was publishing a repository containing open-source AI training data on GitHub. Within this repository, there was a URL linked to an internal Azure storage account owned by Microsoft. Unfortunately, the URL was equipped with an overly permissive Shared Access Signature (SAS) token, granting full control over the Azure storage resources.
The Leaked Data Included Sensitive Information
This lapse in security not only allowed the Wiz security team but potentially malicious actors as well, to access, modify, or delete files within the storage account. The compromised data included sensitive information such as passwords for Microsoft services, secret keys, and over 30,000 internal Microsoft Teams messages exchanged by 359 Microsoft employees.
Additionally, the exposed data contained personal computer backups, reportedly belonging to two former Microsoft employees.
Despite the magnitude of the breach, Microsoft downplayed its severity, emphasizing that no customer data or internal services were compromised, and no further action was required from customers. The company took swift action by revoking the SAS token on June 22 and fixing the leak by June 24.
“Additional investigation then took place to understand any potential impact to our customers and/or business continuity […]” “Our investigation concluded that there was no risk to customers as a result of this exposure.”
In response to the incident, Microsoft recommended best practices for managing SAS tokens to minimize risks, including restricting URLs to essential resources, limiting permissions to the minimum necessary, and setting shorter expiration times for SAS URLs.
This incident highlights the importance of robust security measures and proper configuration of access controls, even within large organizations like Microsoft. It serves as a reminder of the ongoing challenges in safeguarding sensitive data and the need for continuous improvement in security practices. Microsoft pledged to enhance its detection and scanning tools to proactively identify and address similar issues in the future.