(Bloomberg) — Microsoft Corp.’s AI research team accidentally exposed a large cache of private data on software development platform GitHub, according to new research from a cybersecurity firm.
Most read from Bloomberg
Wiz’s cloud security team found the exposure of cloud-hosted data on the AI training platform via a misconfigured link. According to Wiz, this data was leaked to Microsoft’s research team when it published open-source training data on GitHub.
Repository users were prompted to download the AI models from the cloud repository URL. However, it was misconfigured to grant permissions to the entire storage account and also granted users full control permissions, as opposed to read-only permissions, meaning they could delete and overwrite existing files, according to a Wiz blog post. The exposed data included backups of Microsoft employees’ personal computers, which Wiz said contained passwords to Microsoft services, secret keys and more than 30,000 internal Microsoft Teams messages from 359 Microsoft employees.
Open data sharing is a key part of AI training, but sharing more data puts companies at greater risk if it’s shared incorrectly, Wiz researchers say. Wiz shared the data in June with Microsoft, which quickly removed the exposed data, said Ami Luttwak, chief technology officer and co-founder of Wiz, who added that the incident “could have been worse.”
Asked for comment, a Microsoft spokesperson said: “We have confirmed that no customer data was exposed and no other internal services were compromised.
In a blog post published on Monday, Microsoft said it investigated and fixed an incident involving a Microsoft employee who shared a URL to a public GitHub repository for open-source AI learning models. Microsoft said the data exposed in the storage account included backups of the workstation profiles of two former employees and the two employees’ internal Microsoft Teams messages with their colleagues.
The data cache was found by Wiz’s research team, which was scouring the Internet for misconfigured storage containers as part of its ongoing work on accidental exposure of cloud-hosted data, according to the blog.
Most read from Bloomberg Businessweek
©2023 Bloomberg LP
