Your IP-address is: 3.236.237.61 this Sunday 24, Sep 2023, 00:44:42
­Top Banner Advertisement

Search form

Latest News

  • Falkon Web Browser For Linux

    Falkon Web Browser For Linux

    Falkon Web Browser For Linux. Falkon web browser is actually a KDE web browser using QtWebEngine rendering engine, previously known as QupZilla.

Published content

Home >Blogs >admin's blog >Microsoft leaked 38TB Of Data Via Unsecured Azure Storage

Microsoft leaked 38TB Of Data Via Unsecured Azure Storage

Microsoft leaked 38TB Of Data Via Unsecured Azure Storage.

It was the Microsoft AI research division who accidentally leaked several terabytes of sensitive data beginning in July 2020.
This happened while contributing open-source AI learning models to a public GitHub repository.

It took almost three years for this to be discovered by the cloud security firm Wiz, whose security researchers found that an Microsoft employee inadvertently shared the URL for a misconfigured Azure Blob storage bucket, containing lots of leaked information.

Being accessable during such a long time it is, very likely someone else has stumbled upon this data, long before the security researchers did.

Wiz reported the incident to MSRC on June 22nd, 2023, who revoked the SAS token, mitigating the issue on June 24th, 2023.

The data exposure happened due to the use of an excessively permissive Shared Access Signature (SAS) token, which allowed full control over the shared files.

If correctly used, Shared Access Signature (SAS) tokens offer a secure means of granting delegated access to resources within your storage account.

"Due to a lack of monitoring and governance, SAS tokens pose a security risk, and their usage should be as limited as possible. These tokens are very hard to track, as Microsoft does not provide a centralized way to manage them within the Azure portal," Wiz wrote.

"In addition, these tokens can be configured to last effectively forever, with no upper limit on their expiry time. Therefore, using Account SAS tokens for external sharing is unsafe and should be avoided."

The data included backups of personal information belonging to Microsoft employees, including passwords for Microsoft services, secret keys and an archive of over 30,000 internal Microsoft Teams messages originating from 359 Microsoft employees.

An advisory was published on Monday by the Microsoft Security Response Center (MSRC) team, saying that:

No customer data was exposed, and no other internal services were put at risk because of this issue. No customer action is required in response to this issue.

The Azure cloud platform offers more than 200 products and cloud services. Read more here.

Posted by admin at 3:00 PM
Top