View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 19, 2023

Microsoft admits to massive data leak two years after the event

The leak of internal data contained passwords, private keys and Teams messages. But why did it take so long to come to light?

By Claudia Glover

Microsoft has admitted to mistakenly leaking 38 terabytes of private data belonging to its employees, including passwords, private keys and Teams messages. The leak took place in July 2020 and was uncovered earlier this year.

Microsoft admits to leaking 38TB of data in 2020. (Photo by Jean-Luc Ichard/Shutterstock)

The leak was through the sharing of a misconfigured Blob storage bucket on the company’s Azure cloud platform while donating open-source AI learning models to a public GitHub repository, Microsoft said this week.

The huge tranche of exposed data was linked by Microsoft to the use of a type of shared access signature (SAS) token, which allowed full access and control over the exposed files. Researchers at security company Wiz uncovered the breach and described the use of such tokens as challenging to monitor and to revoke.

SAS tokens were created to allocate appropriate levels of data access within storage accounts to different employees in a company. The tokens can precisely allocate access, down to specifying the resources a client can interact with, what they can access, their permissions concerning these resources and how long the access will last. 

It appears the monitoring of these tokens is insufficient, Wiz has warned. “Due to a lack of monitoring and governance, SAS tokens pose a security risk, and their usage should be as limited as possible. These tokens are very hard to track, as Microsoft does not provide a centralised way to manage them within the Azure portal,” the company said.

The use of the tokens should be avoided altogether, Wiz continues, as SAS tokens can be configured to last forever, making them even less secure. “These tokens can be configured to last effectively forever, with no upper limit on their expiry time,” the team at Wiz wrote. “Therefore, using count SAS tokens for external sharing is unsafe and should be avoided.”

What data was leaked by Microsoft?

The leaked data contains an archive of more than 30,000 internal Microsoft Teams messages, from 359 employees, as well as passwords and secret keys for Microsoft services.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Microsoft maintains that no customer data was exposed in the leak and no other internal services are in danger as a result of the breach. The company revoked the SAS token on 24 June, two days after it was informed of the leak, blocking all external access to the Azure storage account. Microsoft said it completed its investigation of the leak’s impact on the organisation on 16 August.

To mitigate the risk of anything similar happening again, Microsoft expanded its secret scanning service to include any SAS token that could have excessive expirations or privileges, in December 2022.

“This service runs [an] SAS detection, provided by Microsoft, that flags Azure Storage SAS URLs pointing to sensitive content, such as VHDs and private cryptographic keys,” a post from the company’s security team said. “Microsoft has expanded this detection to include any SAS token that may have overly permissive expirations or privileges.”

Read more: Does Microsoft have a security problem?

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU