Microsoft AI researchers accidentally leaked company passwords and 30,000 internal Teams messages

Microsoft AI researchers accidentally leaked company passwords and 30,000 internal Teams messages
A Microsoft store in London. Pietro Recchia/SOPA Images/LightRocket via Getty Images
  • Microsoft confirmed Monday that large amounts of data were mistakenly leaked.
  • Researchers provided a link to AI models via GitHub.

A team of AI researchers at Microsoft mistakenly leaked large amounts of data while trying to share their work, the company confirmed on Monday.

Microsoft said the team was trying to share open-source training data on the software development platform GitHub, as is common behavior in the AI sector.

However, the cybersecurity firm Wiz discovered that the researchers accidentally gave people access to 38 terabytes worth of data.

Complimentary Tech Event
Transform talent with learning that works
Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More

That's because the Microsoft researchers' GitHub repository told users to download AI models from a cloud storage URL. But the link had been misconfigured to the extent that it granted permissions across the entire storage account, according to Wiz.

Wiz found that the account included Microsoft employees' personal computer backups, passwords to Microsoft services, secret keys, and over 30,000 internal Teams messages.


"No customer data was exposed, and no other internal services were put at risk because of this issue. No customer action is required in response to this issue," Microsoft said in Monday's blog post.

"We are sharing the learnings and best practices below to inform our customers and help them avoid similar incidents in the future," it added.

Wiz reported the issue to Microsoft back in June, which invalidated the link two days later. Both companies disclosed the debacle on Monday.

That's less than two weeks after Microsoft published the findings of an investigation into China-based hackers. It found that when a system crashed back in 2021, a snapshot of the process accidentally revealed a signing key.

And that let the threat actor, known as Storm-0558, compromise a Microsoft engineer's account, giving access to email accounts including those of US government agencies.