Thirty-eight TB of internal Microsoft data left unprotected for three years

On September 18, 2023, cyber startup Wiz revealed that a 38-TB Microsoft internal database had remained exposed for almost three years. The database, used by Microsoft AI researchers, contained personal codes, passwords and Teams direct messages. The Redmond-based company confirmed the statement the same day.

Wiz identified the leak on the development platform GitHub, where Microsoft allows experts to download their public AI research. In the second quarter of 2020, an employee posted a redirect URL that granted access to the entire storage account by mistake.

On June 22, 2023, Wiz shared its findings with Microsoft, which revoked the problematic access on June 24, 2023. The IT giant concluded the investigation of the incident’s organizational consequences on August 16, 2023, but remains in the dark as to who could have accessed the exposed data.

The matter arises in a strained context for Microsoft in regard to data protection. In early September 2023, the company recognized its messaging service had been hacked by a Chinese State-sponsored group named Storm-0558. Shortly after, Microsoft shared documents tied to its Activision bid with the US justice system, but without redacting sensitive data.