Microsoft has filed a complaint in the US District Court for the Eastern District of Virginia against a group of hackers who illegally accessed its servers to create unsafe AI content. The company accused 10 anonymous defendants of violating the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, and federal racketeering laws. Microsoft’s investigation found that the defendants stole legitimate users’ API keys, which are used to authenticate access to Microsoft’s Azure OpenAI Service.
These stolen keys were then used to generate illicit content. The defendants developed a client-side tool called de3u, designed to steal API keys and communicate with Microsoft’s servers. This tool could bypass the Azure OpenAI Service’s built-in content filters, allowing the creation of images and content normally prohibited by OpenAI’s safety protocols.
Microsoft sues hackers over misuse
Microsoft first detected the misuse of these API keys in July 2024 and discovered that they had been stolen from multiple customers through a systematic operation. As a result of the court complaint, Microsoft successfully removed a related GitHub repository and website.
The company emphasized that combining the defendants’ tools and the stolen API keys enabled them to reverse engineer methods to circumvent Microsoft’s content and abuse measures. While Microsoft did not disclose specific details of the illicit content, the severity of the breach has led to significant legal actions to address and curb these abusive activities. This incident highlights the ongoing challenges and risks associated with cloud services and the importance of robust security measures to protect against unauthorized access and misuse.
Microsoft is taking a firm stand against the misuse of its generative AI services and sending a clear message that the weaponization of its AI technology by online actors will not be tolerated.
