Microsoft Corp’s AI research team inadvertently exposed a significant amount of private data on the software development platform GitHub, as per the new research conducted by a cybersecurity firm. Cloud security company Wiz uncovered the revelation of cloud-hosted data on the AI training platform through a misconfigured link. Wiz stated that Microsoft’s research team leaked the data while publishing open-source training data on GitHub.
Users of the repository were encouraged to download AI models from a cloud storage URL. However, the link was misconfigured, granting permissions on the entire storage account, including full control permissions. This meant that users could delete and overwrite existing files, as noted in a blog post by Wiz.
The exposed data included personal computer backups of Microsoft employees, which contained passwords to various Microsoft services, secret keys, and over 30,000 internal Microsoft Teams messages from 359 Microsoft employees, according to Wiz’s findings.
While open data sharing is integral to AI training, the improper sharing of large amounts of data exposes companies to greater risks, as highlighted by Wiz’s researchers. In June, Wiz shared the data with Microsoft, who promptly took action to remove the exposed data. Ami Luttwak, Wiz’s CTO and co-founder, stated that the incident “could have been worse.”
A Microsoft spokesperson, when asked for comment, stated, “We have confirmed that no customer data was exposed, and no other internal services were put at risk.”
In a blog post released on Monday, Microsoft acknowledged the incident and stated that they had investigated and resolved the matter. The incident involved a Microsoft employee who shared a URL to open-source AI learning models in a public GitHub repository. Microsoft further explained that the exposed data in the storage account consisted of backups of two former employees’ workstation profiles and internal Microsoft Teams messages exchanged between these two employees and their colleagues.
Wiz’s research team discovered the data cache while scanning the internet for misconfigured storage containers as part of their ongoing efforts to identify accidental exposure of cloud-hosted data.
– Bloomberg
Credit: The Star : Tech Feed
