Hacker News: Exposed GitHub repos, now private, can be accessed through Copilot

Feb 26, 2025

—

Source URL: https://techcrunch.com/2025/02/26/thousands-of-exposed-github-repos-now-private-can-still-be-accessed-through-copilot/
Source: Hacker News
Title: Exposed GitHub repos, now private, can be accessed through Copilot

Feedly Summary: Comments

AI Summary and Description: Yes

Summary: The text discusses the risks associated with data exposure in generative AI systems, particularly focusing on Microsoft Copilot’s ability to access previously public data from GitHub repositories, even after they’ve been made private. This raises significant concerns regarding security and the safeguarding of intellectual property.

Detailed Description:
The article outlines a critical security vulnerability related to generative AI tools like Microsoft Copilot. Key points include:

– **Data Exposure Risks**: Security researchers from Lasso highlight that data exposed online, even if only briefly, may remain accessible through AI systems like Copilot. This poses a significant risk for organizations that mistakenly expose data or have temporary public repositories.

– **Scope of Affected Data**: Lasso identified thousands of GitHub repositories from major companies (including Amazon, Google, and Microsoft) that were publicly accessible at some point in 2024, with over 20,000 repositories still containing data retrievable via Copilot.

– **Implications for Security**: Sensitive corporate data, access keys, confidential GitHub archives, and even potentially harmful AI tools were found accessible through Copilot. This emphasizes the need for organizations to be vigilant about their data exposure and manage their repositories carefully.

– **Company Response**: Lasso contacted affected companies to recommend rotating or revoking compromised keys. They disclosed the findings to Microsoft, which downplayed the severity of the issue, highlighting the ongoing concerns over cached data access.

– **Temporary Fixes and Recommendations**: Although Microsoft disabled the caching feature in response, the situation underscores the potential permanence of data once it has been indexed by an AI service, necessitating robust security measures from both cloud providers and users.

Overall, the scenario presents urgent implications for professionals in security and compliance, particularly emphasizing the need for proactive measures against data exposure in the realm of generative AI and the importance of ongoing vigilance regarding AI integrations with cloud services. This incident illustrates a tangible case of how past data leaks can have long-lasting ramifications in modern digital environments.

2 2024 24 4 5 a access access keys Act after AI AI integration AI systems AI tool AI tools Amazon and Arch ARM art as by C Cache caching CERN CIA closed Cloud Cloud Provider cloud providers cloud service cloud services companies compliance concerns Copilot core corporate data critical D data data access data exposure Data Exposure Risks data leak data leaks de digital digital environment digital environments e end environment exp feature for full g Gen generative Generative AI generative AI tools git GitHub GitHub repositories Go Google gs H hack hacker Hacker News high Highlight HR http HTTPS implications in incident integration integrations Intel Intellectual Property J k Key keys l Lasso led Li lm long man Micro Microsoft Microsoft Copilot Modern N news no o of on opilot organization organizations out over play point potential pre proactive proactive measures professionals public public data public repositories R rate RCE real recommendations research researchers response Risk risks RMF Ro robust security RoT s Sable safe search sec security security and compliance security measure security measures Security Research Security Researcher security researchers security vulnerability service services severity Sig SoC source SSE system systems T tech text the to tool tools Tor TP trie US use user Users V vigilance vulnerability Wi x