Microsoft has now joined the growing ranks of legal claims bordering on what has been described as “abuse of its AI services” by stealing and, thus, “piercing” critical safety measures on the platform. The 10 Doe defendants, unnamed in the suit, purportedly committed theft of user credentials and access to Microsoft Azure OpenAI.
API Key Theft and Hacking-as-a-Service
As per Microsoft, the defendants systematically and through their deceitful acts stole API keys, the fundamental means of authentication to its AI services. The hacked accounts were allegedly pivotal in creating an act of “hacking-as-a-service” One main ingredient for that operation would be De3u, a software that enabled one to convert images synthesized by OpenAI’s DALL-E without the necessity of writing an actual code.
The company’s complaint also mentioned that De3u is preferable as it can bypass Azure OpenAI’s content moderation system hence making it possible to generate malicious and illegal content. Microsoft is alleging that both bright and dark worlds have been breached by the acts of the defendants into violations of various statutes such as the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act, as well as federal racketeering laws.
Microsoft’s Counteroffensive and Legal Action
Microsoft stated that the misuse of its API keys was discovered in July 2024, and steps were taken to remedy this situation. The company recently received court permission to take control of a domain central to the operations of the defendants, thereby allowing Microsoft to gather evidence and demolish the remaining technical infrastructure used in the scheme.
The company would also have to remove De3u’s entire repository from its GitHub and has instituted new security measures to safeguard its Azure OpenAI services.
Moving Forward
In addition to seeking damages, Microsoft is pursuing injunctive relief to prevent further misuse of its services. The tech giant emphasized its commitment to ensuring the integrity of its platforms and protecting its customers from malicious activities.
This lawsuit highlights the increasing challenges tech companies face in securing their AI platforms as they become more widely adopted across industries.