Microsoft has admitted to mistakenly leaking 38 terabytes of private data belonging to its employees, including passwords, private keys and Teams messages. The leak took place in July 2020 and was uncovered earlier this year.
The leak was through the sharing of a misconfigured Blob storage bucket on the company’s Azure cloud platform while donating open-source AI learning models to a public GitHub repository, Microsoft said this week.
The huge tranche of exposed data was linked by Microsoft to the use of a type of shared access signature (SAS) token, which allowed full access and control over the exposed files. Researchers at security company Wiz uncovered the breach and described the use of such tokens as challenging to monitor and to revoke.
SAS tokens were created to allocate appropriate levels of data access within storage accounts to different employees in a company. The tokens can precisely allocate access, down to specifying the resources a client can interact with, what they can access, their permissions concerning these resources and how long the access will last.
It appears the monitoring of these tokens is insufficient, Wiz has warned. “Due to a lack of monitoring and governance, SAS tokens pose a security risk, and their usage should be as limited as possible. These tokens are very hard to track, as Microsoft does not provide a centralised way to manage them within the Azure portal,” the company said.
The use of the tokens should be avoided altogether, Wiz continues, as SAS tokens can be configured to last forever, making them even less secure. “These tokens can be configured to last effectively forever, with no upper limit on their expiry time,” the team at Wiz wrote. “Therefore, using count SAS tokens for external sharing is unsafe and should be avoided.”
What data was leaked by Microsoft?
The leaked data contains an archive of more than 30,000 internal Microsoft Teams messages, from 359 employees, as well as passwords and secret keys for Microsoft services.
Microsoft maintains that no customer data was exposed in the leak and no other internal services are in danger as a result of the breach. The company revoked the SAS token on 24 June, two days after it was informed of the leak, blocking all external access to the Azure storage account. Microsoft said it completed its investigation of the leak’s impact on the organisation on 16 August.
To mitigate the risk of anything similar happening again, Microsoft expanded its secret scanning service to include any SAS token that could have excessive expirations or privileges, in December 2022.
“This service runs [an] SAS detection, provided by Microsoft, that flags Azure Storage SAS URLs pointing to sensitive content, such as VHDs and private cryptographic keys,” a post from the company’s security team said. “Microsoft has expanded this detection to include any SAS token that may have overly permissive expirations or privileges.”