On July 20, 2020, Microsoft’s AI research team published open-source AI training data to GitHub and inadvertently included an overpermissioned Azure SAS token in the repository. The token granted ‘full control’ (read, write, delete, and list) permissions to the entire Azure Blob Storage account — not just the intended folder of training data. The SAS token was valid for approximately three years, until Wiz Research discovered the exposure on June 22, 2023 and reported it to Microsoft; Microsoft remediated the issue on June 24, 2023, and the public disclosure occurred September 18, 2023. The exposed 38TB of internal data included: backups of workstation files belonging to two Microsoft employees (including sensitive personal data), over 30,000 internal Microsoft Teams messages from 359 Microsoft employees, private SSH keys, passwords, and other internal credentials. No customer data was exposed. Microsoft confirmed no evidence of unauthorized external access. The incident illustrated how Azure SAS tokens — which appear as simple URLs and are often treated casually by developers — can carry dangerous levels of privilege that are difficult to audit and can persist for years without revocation. Wiz Research used this finding to advocate for better SAS token controls and visibility in cloud environments.