On the web, the only thing differentiate a legitimate user and a unprivileged individual, is the login credential when logging in into an account is that, the former has the username-password combination and the latter doesn't.
And when data is put on the web, the only way to differentiate types of access, is permission. With permission, the owner of the data can grant or deny others' access to their data. Usually, this process is straightforward, but sometimes, even professionals can make mistakes.
In this case, the mistake is undoubtedly significant.
According to a report from cloud security company Wiz, AI researchers at Microsoft accidentally leaked a staggering 38 terabytes of confidential company data on the developer platform GitHub.

The scope of the data spill is extensive, because according to the report, the leaked data contained a full disc backup of two employees' workstations, which included sensitive personal data, as well as company "secrets, private keys, passwords, and over 30,000 internal Microsoft Teams messages."
According to Wiz, the mishap happened when the researchers at Microsoft wanted to publish a "bucket of open-source training material" and "AI models for image recognition" to GitHub.
The thing is, the researchers made a mistake by miswriting the files' accompanying SAS token, or the storage URL that establishes file permissions.
As a result of this, instead of granting GitHub users access to the downloadable AI material specifically, the mistake allowed general access to the entire storage account.
The mistake can be less extensive if the researchers botched by publishing the data with read-only permissions.
But this is not the case, because the mistake granted "full control" access. What this means, anyone who saw the data and had ill intention, could not only downloaded the many terabytes of data for malicious purposes, but could also tinker with the data, including the ones Microsoft used for training its AI models.
We found a public AI repo on GitHub, exposing over 38TB of private files – including personal computer backups of @Microsoft employees
How did it happen?
A single misconfigured token in @Azure Storage is all it takes pic.twitter.com/ZWMRk3XK6X— Hillai Ben-Sasson (@hillai) September 18, 2023
An "attacker could have injected malicious code into all the AI models in this storage account," Wiz's researchers write, "and every user who trusts Microsoft’s GitHub repository would've been infected by it."
And due to how sensitive the data is, the leak could have made Microsoft more vulnerable to cyberattacks.
To make the matter even worse, the SAS misconfiguration dates back to 2020, meaning that this sensitive material has basically been open for anyone for several years.
Long story short, the mistake happened because of just one misconfigured URL that was caused by human error.


The incident underscores the potential for security missteps when using SAS links, said Ami Luttwak, CTO and co-founder of Wiz.
"The AI researcher just wanted to share a database, which is fine, but how do I know if my users — who they want to share something with — mistakenly share our entire storage account," he explained. "They even gave write permission, not just read permissions, so it could have even led to remote execution."
Microsoft, for its part, said that the PCs were used by two former employees. After being notified about the exposure on June 22, the Redmond-based company said that it has revoked the SAS token to prevent any external access to the storage account, and it contained the leak two days later, on June 24.
"Additional investigation then took place to understand any potential impact to our customers and/or business continuity," Microsoft added.
"Our investigation concluded that there was no risk to customers as a result of this exposure."













































































































































































































































































































































































