According to Wiz, a cloud security startup that discovered the exposure, the URL exposed 38 terabytes of sensitive internal Microsoft data, including private keys, passwords, and internal Microsoft Teams messages from hundreds of Microsoft employees. The data also included personal backups of two Microsoft employees' personal computers.
The data exposure happened because the Microsoft employee used a Shared Access Signature (SAS) token to create the URL. SAS tokens are a mechanism used by Azure that allows users to create shareable links granting access to Azure Storage resources. However, the employee used an account SAS token, which gives access to all the resources in the storage account, instead of a service SAS token, which grants access to specific resources.
Wiz said that the URL was exposed in 2020, and it found it on June 22, 2023. Wiz reported its findings to Microsoft on the same day, and Microsoft revoked the SAS token two days later on June 24. Microsoft said that it completed its investigation on potential organizational impact on August 16.
Microsoft said that no customer data was exposed and no other internal services were put at risk because of this issue. However, Wiz warned that the exposure could have led to severe consequences, such as data theft, ransomware attacks, or supply chain attacks. Wiz also said that the direction could have compromised the integrity and credibility of Microsoft's AI research and models.
The data exposure incident highlights the challenges and risks of securing massive amounts of data, especially in the fast-paced world of AI development. It also shows the importance of following best practices and security protocols when creating and sharing SAS tokens. Wiz recommended not using account SAS tokens for external sharing, and instead using SAS with stored access policy or user delegation SAS.
Join our WhatsApp Channel to get the latest news, exclusives and videos on WhatsApp
_____________
Disclaimer: Analytics Insight does not provide financial advice or guidance. Also note that the cryptocurrencies mentioned/listed on the website could potentially be scams, i.e. designed to induce you to invest financial resources that may be lost forever and not be recoverable once investments are made. You are responsible for conducting your own research (DYOR) before making any investments. Read more here.