Microsoft AI researchers expose 38TB confidential data

Microsoft AI researchers accidentally exposed 38 terabytes of confidential and private information on GitHub, raising questions about the company's security practices. 

Wiz researchers investigating a cloud-hosted data exposure discovered a Microsoft GitHub repository with open-source code for AI image recognition models. The data, some of which had been exposed since July 2020, included backups of two Microsoft employees’ computers, private passwords and passkeys, and more than 30,000 Teams chat messages exchanged by 359 Microsoft employees.

Microsoft linked the data exposure to using an excessively permissive Azure Cloud Shared Access Signature (SAS) token. In response, the company expanded GitHub’s secret spanning service, which tracks all public open-source code changes for credentials and other secrets exposed in plaintext.