Microsoft Accidentally Exposes 38 Terabytes of Private Data on GitHub

 

Microsoft's recent security blunder involves the inadvertent exposure of a substantial 38 terabytes of sensitive data, which encompassed confidential secrets, cryptographic keys, passwords, and an extensive trove of over 30,000 internal Teams messages.

This breach unfolded on GitHub during the publication of open-source training data within a repository named "robust-models-transfer." The incident's root cause was traced back to an excessively permissive SAS token, a feature in Microsoft Azure that allows data sharing with challenging tracking and revoking capabilities. This grave security lapse was reported to Microsoft on June 22, 2023.

The repository's README.md file unwittingly instructed developers to download models via an Azure Storage URL, inadvertently granting access to the entire storage account, thereby exposing additional private information.

What exacerbates this situation is that the token was also misconfigured, allowing "full control" permissions instead of read-only access, potentially enabling attackers not only to view but also to delete and overwrite files in the storage account.

In response to this alarming revelation, Microsoft has reassured that there's no evidence of unauthorized customer data exposure and that other internal services remained unaffected. 

Swift actions were taken to revoke the problematic SAS token and block external access to the storage account. Remediation efforts included expanding their secret scanning service to identify overly permissive SAS tokens and addressing a bug in their scanning system.

This incident serves as a stark reminder of the paramount importance of safeguarding data, especially as AI continues to necessitate handling vast datasets.

Microsoft's unfortunate security lapse underscores the ongoing need for stringent data protection measures in an era marked by increasing data reliance and sharing.


Source: Google News, The Hacker News