Microsoft researchers inadvertently exposed 38 TB of data.
The AI team, which was uploading exercise data to allow other researchers to practice AI models in symbol recognition, exposed the data, which included “secrets, personal keys, passwords and more than 30,000 internal Microsoft Teams messages,” according to the cloud security platform. Wiz. , who was the first to realize the exposure of knowledge.
Microsoft, in its own report on the breach, noted that “no knowledge of visitors was exposed and no other insiders were threatened due to this issue” and that no action was required from those visitors.
The link to the knowledge containing the files was established using a function in Azure called “SAS tokens,” which allows users to create links to share. Wiz first discovered access to knowledge on June 22 and alerted Microsoft. The token was revoked the next day and Microsoft claims to have a constant challenge and adjusted SAS tokens that are more permissive than expected.
“The information that was exposed was information expressed to two former Microsoft employees and the workstations of those former employees,” the company said. “No visitor data has been exposed and no other Microsoft installation has been compromised due to this issue. Guests don’t want to take extra steps to stay safe. Like any secret, SAS tokens will need to be properly created and controlled. As always, we strongly inspire our consumers to follow our most productive practices when SAS tokens minimize the threat of unintentional access or abuse.
Wiz cautioned that those kinds of mistakes may become less unusual as AI is trained and used more frequently.
“This case is an example of the new dangers facing organizations as they begin to harness the power of AI more broadly, as more of their engineers now work with vast amounts of educational knowledge,” the organization wrote. To put new AI answers into production, the vast amounts of knowledge they process require additional controls and security measures. “