Terabytes of Internal Private Data Accidentally Leaked by Microsoft AI Research Team
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
An accidental leak by AI researchers at Microsoft exposed 38TB of sensitive company information dating back to July 2020. The accident took place while publishing open-source AI training data onto a public GitHub repository.
The leak, which was discovered by cloud security company, Wiz , contained private keys, passwords, and over 30,000 internal Microsoft Teams messages. Wiz’s ongoing research into accidental exposure of cloud-hosted data revealed the leak source to be a Microsoft AI division-managed GitHub repository ‘’robust-models-transfer.’’
Although the readers of the repository are only meant to download the open-source code and AI models for image recognition from an Azure Storage URL. Wiz researchers found that the URL was mistakenly configured to grant access to the entire storage account.
A reader could not only access large terabytes of company information, but ‘’[..] the token was also misconfigured to allow “full control” permissions instead of read-only. Meaning, not only could an attacker view all the files in the storage account, but they could delete and overwrite existing files as well,’’ Wiz researchers revealed.
Microsoft & Wiz investigation revealed that the storage account wasn’t directly exposed, rather the misconfigured URL included ‘’an overly-permissive Shared Access Signature (SAS) token.’’
These tokens provide access to Azure Storage data and can be customized by the user to grant either read-only or full control permissions. A user can also create never-expiring access tokens.
According to Wiz, the SAS tokens can prove to be a major challenge to an organization’s system security. ‘’Due to a lack of monitoring and governance, SAS tokens pose a security risk, [..]. These tokens are very hard to track, as Microsoft does not provide a centralized way to manage them within the Azure portal.’’
On receiving Wiz’s report, Microsoft immediately launched an investigation and invalidated, as well as replaced the SAS token on GitHub.
Furthermore, Microsoft’s investigation revealed that the leak did not contain any customer information and none of the other internal services were affected by the incident.
TransUnion Denounces Data Breach Claims, Suggests Third-Party Data Leaks
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
Consumer credit reporting agency, TransUnion has refuted data breach claims made by the well-known hacker ‘USDoD.’ The threat actor has gained notoriety in recent years after being associated with some big-name security breaches.
The incident came to light when USDoD posted several gigabytes of stolen data on BeachForums, a well-known dark web forum used for sale and purchase of hacking information. The actor claimed to have stolen the database containing sensitive personally identifiable information (PII) directly from the TransUnion system.
According to vx-underground researchers, the stolen database of around 58,505 individuals is said to contain full name, sex, age, credit score, passport, credit scores, and financial transaction details, among others.
‘’The database appears to be compromised on March 2nd, 2022. This leaked database has information on individuals all across the globe including the Americas (North and South), as well as Europe,’’ the post on X (formerly Twitter) stated.
The Chicago-based company on the other hand denied these claims, ‘’immediately upon discovering these assertions, we partnered with outside cybersecurity and forensic experts to launch a thorough investigation.’’
‘’At this time, we and our internal and external experts have found no indication that TransUnion systems have been breached or that data has been exfiltrated from our environment,’’ the company said in a statement .
It further went on to say that there is a discrepancy between the content and format of data posted, linking the incident to a third-party data leak. ‘’Through our investigation, we have found that multiple aspects of the messages – including the data, formatting, and fields – do not match the data content or formats at TransUnion, indicating that any such data came from a third party.’’
However, another post on X by Emsisoft threat analyst Brett Callow revealed the published post on BreachForums by USDoD.
