Microsoft sues group for creating tool to exploit its AI
What's the story
Microsoft has filed a lawsuit against a group of 10 unknown individuals, accusing them of abusing its cloud-based artificial intelligence (AI) products.
The lawsuit, filed in December in the US District Court for the Eastern District of Virginia, claims that the defendants used stolen customer credentials and specially crafted software to breach Azure OpenAI Service.
The service is a fully managed offering from Microsoft based on technologies developed by ChatGPT creator OpenAI.
Legal violations
Defendants accused of violating multiple laws
The defendants, dubbed as "Does" in the lawsuit, are accused of violating multiple laws such as the Computer Fraud and Abuse Act, Digital Millennium Copyright Act, and a federal racketeering law.
They reportedly abused Microsoft's software and servers to create offensive and illicit content. However, Microsoft has not revealed specific details of this abusive content.
The tech giant is seeking injunctive relief and damages.
Investigation findings
Discovery of policy violations and API key theft
In July 2024, Microsoft learned that Azure OpenAI Service credentials were being abused to generate content that breached the service's acceptable use policy.
An internal probe found that these API keys had been stolen from paying customers.
The lawsuit reads, "The precise manner in which Defendants obtained all of the API Keys used to carry out the misconduct described in this Complaint is unknown."
Unlawful activities
Alleged 'hacking-as-a-service' scheme and countermeasures
Microsoft alleges that the defendants used the stolen API keys to set up a "hacking-as-a-service" scheme.
They reportedly created a client-side tool called de3u and software to handle communications from de3u to Microsoft's systems.
The court has now allowed Microsoft to seize a website associated with the defendants' operations, allowing it to collect more evidence and disrupt any other technical infrastructure found.