https://bit.ly/3rhPRW2 - 🖥️ Microsoft's AI research team inadvertently leaked 38TB of private data on GitHub, including over 30,000 internal Microsoft Teams messages due to a misconfigured SAS token. #Microsoft #DataLeak #SASToken 🔍 Wiz Research discovered the issue when scanning for misconfigured storage containers. Instead of just providing access to open-source models, the storage URL exposed an entire account, revealing private data such as employee backups and sensitive files. #WizResearch #Cybersecurity 📊 The situation highlights the risks as businesses increasingly use AI. Handling vast amounts of data necessitates stronger security checks and protocols. As AI integration accelerates, mishaps like these underscore the importance of tightening data controls. #AISecurity #DataProtection 🔏 A brief on SAS tokens: In Azure, SAS tokens offer access to storage data with customizable permission levels. While their versatility can be beneficial, misconfigurations can lead to broad unintended access. In Microsoft's case, the SAS token granted full access until 2051. #Azure #SASTokenSecurity 🛠️ Recommendations for enhancing SAS security include: Treating Account SAS tokens with caution, due to their inherent security risks. Leveraging Service SAS with Stored Access Policies for external sharing. Using User Delegation SAS for time-limited sharing, capped at 7 days. Monitoring active SAS token usage with tools like Storage Analytics logs and Azure Metrics. Implementing secret scanning tools to identify exposed SAS tokens. #SASTokenRecommendations #CloudSecurity 🤖 The event also brings to light security issues in the AI development pipeline, specifically: Oversharing of data: Massive data collections can pose security risks. Clear guidelines for AI dataset sharing are essential. Potential supply chain attacks: Malicious code can be injected into AI models, leading to wider scale security threats. Proper model vetting is crucial. #AIDevelopmentRisks 📌 In summary, using SAS tokens, especially Account SAS tokens, for external sharing should be done with caution. Ensuring closer collaboration between security, data science, and research teams can prevent such security lapses. As AI becomes more prevalent, understanding and mitigating associated risks is paramount. #AISecurityBestPractices 📅 Timeline of the event: July 20, 2020: SAS token first appeared on GitHub. October 6, 2021: Token expiry extended to 2051. June 22, 2023: Wiz Research identified and reported the issue. June 24, 2023: Microsoft invalidated the SAS token. August 16, 2023: Microsoft concluded its internal investigation. September 18, 2023: Information made public. #EventTimeline For further details, please refer to Microsoft's official statement on the MSRC blog.