Back to the blog

Microsoft’s Copilot found exposing thousands of private GitHub repositories

On February 27, 2025, security researchers from cybersecurity company Lasso discovered a serious data exposure issue involving Microsoft's Copilot.

February 27, 2025
The Nudge Security Team
SaaS Security Alerts

What Happened?

On February 27, 2025, security researchers from cybersecurity company Lasso discovered a serious data exposure issue involving Microsoft's Copilot. Researchers identified that Microsoft's Copilot was inadvertently exposing content from thousands of GitHub repositories that had once been public but had since been set to private. The issue stems from cached data retained by Microsoft's Bing search engine, which Copilot accessed, unintentionally serving previously public data even after repositories were made private.

Affected Scope

Over 20,000 repositories and more than 16,000 organizations (including major tech companies) were identified as impacted.

Steps for Exploitation
  1. Public repositories indexed by Bing search engine.
  2. Repositories subsequently changed from public to private.
  3. Cached repository data remained accessible through Bing's cache.
  4. Copilot could query and retrieve data directly from these cached repositories, even though they appeared private on GitHub.

Resolution

Microsoft removed direct links to cached Bing content from public search results starting December 2024. However, Copilot continued accessing cached content, indicating an incomplete resolution.

What You Can Do

  1. Review Your GitHub Repositories: Check if your repositories were ever briefly public during 2024 and subsequently made private.
  2. Rotate Secrets and Keys: Immediately rotate or revoke any sensitive keys or tokens that may have been exposed.
  3. Monitor Generative AI Use: Establish guidelines for how your teams leverage AI coding assistants, clarifying risk factors of “zombie data.”
  4. Engage Microsoft: If your repositories are affected, contact Microsoft directly to ensure that your cached data is removed from Bing and Copilot.
  5. Audit Github configuration to proactively manage your SaaS security posture including repositories being made public in your organization.

By proactively auditing repositories, securing credentials, and educating your teams on the persistence of cached data, you can mitigate the risk of exposing private GitHub content through AI-driven tools.

Related posts

Guides
SaaS identity and access management best practices

How to streamline IAM, starting with a complete inventory of every and SaaS app that’s been introduced into your organization.

Read more

Product
A deep dive on SaaS spend management

How to use spend data and insights to prioritize your SaaS rationalization efforts, maximize impact, and earn quick wins.

Read more

Guides
A SaaS security best practices guide

How to expose shadow IT, eliminate SaaS sprawl, and take control of your supply chain.

Read more

Report

Debunking the "stupid user" myth
in security

Exploring the influence of employees’ perception
and emotions on security behaviors

Download the report
Watch the webinar

Let’s stay in touch.

Sign up for product updates, resources, and news. We promise we'll never send you spam. Or boring emails. Ever.
Product
OverviewChangelogPricingStatus
Resources
FAQSecurity ProfilesSaaS Security GlossaryKnowledge BaseAPI Documentation
Company
Our ApproachOur TeamPress
Assurance
Trust & SecurityTerms & ConditionsPrivacy PolicySitemap

Use Cases

SaaS Security
SaaS Security Posture Management (SSPM)Audit & ComplianceSaaS Attack SurfaceAccount Takeover Detection
SaaS Management
Shadow ITSaaS SpendCloud GovernanceAI Security
Third-Party Risk Management
Supply Chain SecurityOAuth Risk Management
Identity Governance
User Access ReviewsEmployee OffboardingSSO Onboarding
© {year}, Nudge Security
1401 Lavaca St, Suite 40219
Austin, TX  78701