Microsoft SAS misconfiguration causes 38TB leak

Technology company Microsoft has revealed that it suffered a data leak in July 2020 which exposed 38 terabytes of private employee data.

News of the leak was made public via a blog post on September 18. In it, Microsoft explained that the leak was caused by a software misconfiguration.

The company shared that the misconfiguration was uncovered in June 2023 by IT security company Wiz. In its investigation, the company discovered that “a researcher at Microsoft inadvertently included [a] SAS token in a blob store URL while contributing to open-source AI learning models and provided the URL in a public GitHub repository”.  

As the URL included an “overly-permissive” Shared Access Signature (SAS) token for an internal storage account at Microsoft, this meant that external parties (including security researchers at Wiz) were able to use the token to access the internal storage account and the data contained within it. The data stored in the account included the workstation profile backups of two former employees as well as the internal Microsoft Teams messages the former employees sent to their colleagues.

Overall, this meant that 38 terabytes of private data of Microsoft employees was made public, including private keys and passwords.

The cyber security incident was mitigated on June 24, 2023, after Microsoft’s Security Response Centre (MSRC) prevented all external access to the storage account by revoking the SAS token. An investigation into the misconfiguration and data leak revealed that there was “no risk to customers as a result of th[e] exposure”.

To prevent a similar cyber security incident from happening in the future, Microsoft has said it has expanded its secret scanning service to flag any and all SAS token that may have overly-permissive privileges or expirations. It has also fixed an issue with its historical rescanning process which originally flagged the SAS token that caused the data leak as a false positive.