Microsoft accidentally leaves 38TB of private data exposed for three years

A startling security lapse has come to light as a new report from cloud security firm Wiz reveals that Microsoft accidentally left up to 38TB of sensitive company data exposed to the public for three years.

According to the researchers at Wiz, the incident happened after Microsoft's AI research team uploaded an overly permissive URL to its GitHub repository. Microsoft's AI research team often shares links to open-source training data with the GitHub community. However, in this case, the link led to an Azure Storage bucket that had been misconfigured, allowing access to sensitive data that should have been protected.

"The [Microsoft] researchers shared their files using an Azure feature called SAS tokens, which allows you to share data from Azure Storage accounts. The access level can be limited to specific files only; however, in this case, the link was configured to share the entire storage account – including another 38TB of private files," explained the researchers from Wiz.

The exposed data contained full backups of two employee work devices. The backups contained sensitive information such as passwords to Microsoft services, private keys, and records of over 30,000 internal Microsoft Teams messages.

The misconfigured link was shared in 2020 but went unnoticed for over three years until Wiz's recent discovery.

In response to the incident, Microsoft has issued a statement saying that there’s no evidence to suggest that customer data was exposed or that other internal systems were compromised due to the misconfiguration.

“We are making ongoing improvements to further harden the SAS token feature and continue to evaluate the service to bolster our secure-by-default posture,” the tech giant said.

This incident is a stark reminder of the need for robust governance and monitoring practices, especially concerning SAS tokens.

As noted by Wiz, a particular challenge with SAS tokens management is the lack of a centralized management system.

“These tokens are very hard to track, as Microsoft does not provide a centralized way to manage them within the Azure portal,” Wiz said. “In addition, these tokens can be configured to last effectively forever, with no upper limit on their expiry time. Therefore, using Account SAS tokens for external sharing is unsafe and should be avoided.”