Microsoft Copilot security flaw may expose your private data, here is how to stay safe
Follow UsA flaw in Microsoft Copilot could have exposed emails, files, and other private Microsoft 365 data.
Microsoft has fixed the issue and said there is no sign that any users were affected.
Avoid unknown links, keep software updated, and limit data access to stay protected.
Microsoft’s AI assistant Copilot was affected by a security issue that could have allowed attackers to access private information from Microsoft 365 accounts. The flaw, called SearchLeak, was discovered by cybersecurity researchers who warned that attackers could steal data with limited action from users. Copilot is used by many organisations to search files, summarise emails, and find information across Microsoft services. Microsoft has fixed the issue and said it found no evidence that customers were affected. Users should still stay careful, keep their accounts protected, and follow security practices to reduce the risk of data exposure.
SurveyResearcher Dolev Taler from Varonis Threat Labs discovered the issue and explained that SearchLeak involved multiple weaknesses in Copilot’s search feature. According to the researcher, an attacker could send a user a normal-looking link with hidden instructions. If the user opened the link, Copilot could misunderstand those instructions and treat them as a search request.
Researchers found that Copilot could then search information available to the user, including emails, meeting notes, documents, and files stored across Microsoft services. This data could then be encoded into an image link and then sent out of the system using the Bing search engine, making it difficult to detect data movement.
This made emails, information about meetings, files on SharePoint, data on OneDrive, and any other business information associated with Copilot vulnerable. Given how widely Microsoft 365 is used to store sensitive company information, the potential impact was significant.
The good news is that no attacks exploiting this flaw have been reported yet. Microsoft fixed the bug upon notification from the researchers and classified it as an important security issue.
Also read: This new Samsung AI feature can spot signs of illness in your dog or cat
How to stay safe
It’s easy to stay safe from any such AI vulnerabilities. Here are some of the tips you can follow as an individual or an organisation to ensure that your data is safe:
- Don’t click on links you weren’t expecting, even if they look real. Double-check who sent a link before opening it in an email or chat message.
- Make sure that your Microsoft 365 account, as well as all your working software, are updated.
- Do not provide your employees access to information that is not required for their work.
- Always monitor what your AI tool can access.
