Microsoft fixes internal data exposure, says no customer data breach


San Francisco, Sep 18 (IANS): Microsoft on Monday admitted that backups of two former employees’ workstation profiles and internal Microsoft Teams messages of these two employees with their colleagues were exposed accidentally, adding that no customer data was exposed.

The admission came as cloud security startup Wiz discovered a GitHub repository belonging to Microsoft’s AI research division as part of its work into the accidental exposure of cloud-hosted data.

After identifying the exposure, Wiz reported the issue to the Microsoft Security Response Center (MSRC).

The tech giant investigated and remediated the incident involving a Microsoft employee who shared a URL for a blob store in a public GitHub repository while contributing to open-source AI learning models.

“This URL included an overly-permissive Shared Access Signature (SAS) token for an internal storage account. Security researchers at Wiz were then able to use this token to access information in the storage account,” said Microsoft.

“No customer data was exposed, and no other internal services were put at risk because of this issue,” the tech giant said in a blog post.

SAS tokens provide a mechanism to restrict access and allow certain clients to connect to specified Azure Storage resources.

In this case, a researcher at Microsoft inadvertently included this SAS token in a blob store URL while contributing to open-source AI learning models and provided the URL in a public GitHub repository.

“There was no security issue or vulnerability within Azure Storage or the SAS token feature. Like other secrets, SAS tokens should be created and managed properly. Additionally, we are making ongoing improvements to further harden the SAS token feature and continue to evaluate the service to bolster our secure-by-default posture,” Microsoft noted.

The information that was exposed consisted of information unique to two former Microsoft employees and these former employees’ workstations.

“Customers do not need to take any additional action to remain secure,” said the company.

 

  

Top Stories


Leave a Comment

Title: Microsoft fixes internal data exposure, says no customer data breach



You have 2000 characters left.

Disclaimer:

Please write your correct name and email address. Kindly do not post any personal, abusive, defamatory, infringing, obscene, indecent, discriminatory or unlawful or similar comments. Daijiworld.com will not be responsible for any defamatory message posted under this article.

Please note that sending false messages to insult, defame, intimidate, mislead or deceive people or to intentionally cause public disorder is punishable under law. It is obligatory on Daijiworld to provide the IP address and other details of senders of such comments, to the authority concerned upon request.

Hence, sending offensive comments using daijiworld will be purely at your own risk, and in no way will Daijiworld.com be held responsible.