Once data is exposed on the internet, it can remain accessible in AI-powered chatbots—even if swiftly removed. This conclusion was reached by cybersecurity specialists at Lasso, an Israeli firm focused on generative AI threats and digital security.
Researchers discovered that information from private GitHub repositories continues to be indexed and utilized by Microsoft Copilot. Among the affected companies are Microsoft, Google, IBM, PayPal, Tencent, and several others. The root of the issue lies in Bing’s caching system, which indexes publicly available repositories, even if they were exposed for only a brief period.
The flaw came to light when Lasso unintentionally made one of its repositories public, then swiftly restricted access. However, upon querying Copilot, researchers found that data from the deleted repository remained accessible. A subsequent analysis of thousands of repositories revealed that over 20,000 deleted or hidden repositories were still retained within Bing’s cache and accessible through Copilot, affecting more than 16,000 organizations.
The potential risk is significant, as Copilot may inadvertently disclose confidential information, including intellectual property, corporate data, access keys, and authentication tokens. Lasso also uncovered a Microsoft tool cached within Bing, which was reportedly capable of generating “malicious and offensive” images using cloud-based AI.
Lasso alerted affected organizations, advising them to revoke compromised keys. However, none of the impacted companies, including Microsoft, have publicly addressed the issue. In November 2024, Lasso reported the flaw to Microsoft, but the company classified it as a “low threat”, deeming Bing’s caching behavior acceptable.
Although Microsoft removed cached Bing links from its search results in December 2024, Lasso contends that the issue remains unresolved, as the data is still retrievable via Copilot. This suggests that Microsoft’s fix was merely a temporary workaround rather than a comprehensive solution.
