Microsoft researchers inadvertently expose 38 TB of internal data

Definitely, this is the law of series for Microsoft. The American publisher has once again been asked to explain an internal bug in its data privacy management, after revelations about the accidental exposure of 38 terabytes of data from one of its public Github dedicated to artificial intelligence.

Last Monday, the Redmond firm explained how it was trying to learn the best lessons from the incident. She also assured that no customer data had “been exposed” and that no other internal services had “been put at risk”.

30,000 messages

As told by Wiz, a company specializing in cloud security, the accessible data included about 30,000 internal messages exchanged by 359 employees, passwords and the backup of the workstations of two Microsoft researchers.

These precious data remained accessible for a little less than three years, Microsoft closing their access on June 24, 2023, two days after the Wiz alert. It is not known whether third parties may have actually had access to this data.

It all started with the accidental sharing in July 2020 of a URL from a misconfigured online storage account. It made it possible to go far beyond the only artificial intelligence models for image recognition that were initially shared.

Law of series

This story falls at its worst for Microsoft, entangled in two other stories. At the beginning of September, the publisher had unveiled the operating procedure for Storm-0558. This high-flying espionage case, attributed to Chinese hackers, had raised questions about the security of the company’s messaging service. The hackers had managed to get their hands on a Microsoft consumer signature key (MSA) wrongly kept in a “crash dump”, a first sesame that had opened other doors for them.

The American press has also just been full of a new unintentional data leak. Opposed to the US competition authority, the Federal Trade Commission (FTC), in the case of the takeover of Activision Blizzard, Microsoft caught its feet in the carpet by sharing with the justice documents that had not been redacted confidential data. According to Wired, this would simply be the largest information leak in the company’s history.