Microsoft's 38TB Data Fiasco

Tuesday, 26/09/2023 | 09:16 GMT by Louis Parks
  • Tech giant hands over security tokens on open repository.
  • Info includes sensitive employee information, keys, and internal messages.
microsoft

It's not every day you stumble upon a treasure trove of secrets. But that's precisely what happened when a Microsoft researcher, probably multitasking between coding and binge-watching cat videos, shared a URL on a public GitHub repository. Little did they know, they were about to gift the world 38TB of Microsoft's deepest data secrets.

Picture this: June 2023, a Microsoft researcher innocently shares a URL on a public GitHub repository while contributing to an open-source AI model. Harmless, right? Wrong. The URL contained a "shared access signature" (SAS) token, and this wasn't your average token.

28 Years of Access

SAS tokens, designed to restrict access to Azure Storage (part of Microsoft’s cloud offering), are like the wild cards in a deck of otherwise predictable playing cards. They're flexible, and herein lies the rub. Users can customize access levels, adjust expiry times, and essentially create tokens that never expire – our star token was valid till 2051, a good 28 years from now. You can learn all about them here, courtesy of Microsoft. Perhaps read on first, though.

Now, here's where we go from mild mishap to serious problem. This particular SAS token, configured with the techy finesse of a bull in a china shop, granted access across an entire storage account. A storage account that happened to house 38TB of data, including sensitive employee information, secret keys, and internal team messages. Oops.

Keys to the Kingdom?

Thankfully, it wasn't all doom and gloom. The brilliant minds at Wiz.io, a cloud security firm, discovered the mishap and joined forces with Microsoft to contain the chaos. In a coordinated vulnerability disclosure report, they revealed the mishap. The silver lining? No customer data was exposed, and the incident has given Microsoft a valuable lesson. Now, releasing the inside story after the problem has been resolved and fixed, hopefully to never happen again, is common in the world of IT security – The eagle-eyed among you will have noticed that this occurred in June, but the story’s only recently been doing the rounds. However, it certainly sounds like Microsoft had to jump when Wiz.io got on the phone and no doubt there were some hasty apologies.

Microsoft acknowledged the blunder and promised to enhance its SAS token feature. They also emphasized the importance of creating and managing these tokens properly, just like guarding the keys to your kingdom.

The key takeaway from all of this is to not share your data in a public space. We can’t believe we’ve had to write that, but there you go.

For more news and amusements, be sure to follow Trending.

It's not every day you stumble upon a treasure trove of secrets. But that's precisely what happened when a Microsoft researcher, probably multitasking between coding and binge-watching cat videos, shared a URL on a public GitHub repository. Little did they know, they were about to gift the world 38TB of Microsoft's deepest data secrets.

Picture this: June 2023, a Microsoft researcher innocently shares a URL on a public GitHub repository while contributing to an open-source AI model. Harmless, right? Wrong. The URL contained a "shared access signature" (SAS) token, and this wasn't your average token.

28 Years of Access

SAS tokens, designed to restrict access to Azure Storage (part of Microsoft’s cloud offering), are like the wild cards in a deck of otherwise predictable playing cards. They're flexible, and herein lies the rub. Users can customize access levels, adjust expiry times, and essentially create tokens that never expire – our star token was valid till 2051, a good 28 years from now. You can learn all about them here, courtesy of Microsoft. Perhaps read on first, though.

Now, here's where we go from mild mishap to serious problem. This particular SAS token, configured with the techy finesse of a bull in a china shop, granted access across an entire storage account. A storage account that happened to house 38TB of data, including sensitive employee information, secret keys, and internal team messages. Oops.

Keys to the Kingdom?

Thankfully, it wasn't all doom and gloom. The brilliant minds at Wiz.io, a cloud security firm, discovered the mishap and joined forces with Microsoft to contain the chaos. In a coordinated vulnerability disclosure report, they revealed the mishap. The silver lining? No customer data was exposed, and the incident has given Microsoft a valuable lesson. Now, releasing the inside story after the problem has been resolved and fixed, hopefully to never happen again, is common in the world of IT security – The eagle-eyed among you will have noticed that this occurred in June, but the story’s only recently been doing the rounds. However, it certainly sounds like Microsoft had to jump when Wiz.io got on the phone and no doubt there were some hasty apologies.

Microsoft acknowledged the blunder and promised to enhance its SAS token feature. They also emphasized the importance of creating and managing these tokens properly, just like guarding the keys to your kingdom.

The key takeaway from all of this is to not share your data in a public space. We can’t believe we’ve had to write that, but there you go.

For more news and amusements, be sure to follow Trending.

About the Author: Louis Parks
Louis Parks
  • 283 Articles
  • 5 Followers
Louis Parks has lived and worked in and around the Middle East for much of his professional career. He writes about the meeting of the tech and finance worlds.

More from the Author

Trending