Microsoft initiates lawsuit against a group for abusing its service

Microsoft has initiated a lawsuit against a group the company claimed was abusing its artificial intelligence (AI) service. According to Microsoft, the unnamed group developed tools that it used to bypass the safety guardrails of its AI products. The filed complaint stated that the group, composed of 10 unnamed individuals, allegedly stole user credentials.

Microsoft claimed that the defendants used the stolen user credentials and a software designed for the purpose was used to breach its Azure OpenAI service. Microsoft is in charge of managing the cloud service, which was created by OpenAI’s parent company ChatGPT. The said individuals broke several laws, one of which necessitated the filing of the lawsuit, Microsoft alleges.

Microsoft submits a complaint about an abuse of its services

In its complaint, Microsoft highlighted that the defendants, which it refers to under the legal pseudonym ‘Does’ violate the Computer Fraud and Abuse Act, a law under the Digital Millennium Copyright Act. The company also alleged that the individuals broke a federal racketeering law by illegally accessing and using its software and servers to create harmful and illegal content.

However, Microsoft has refused to enter into the details of the contents which it claimed were harmful and illegal. The company highlighted in its complaint that it discovered in July 2024 that some users with Azure OpenAI API Keys, a string of characters that is used to approve an app or user, were being illegally used to generate content that was not in line with the company’s acceptable use policy.

According to the filing, Microsoft discovered that the users came in contact with the API Keys illegally through some users. In its statement, Microsoft claimed the way they got the keys remains unknown, but it strongly believes the defendants stole the keys. “The precise manner in which Defendants obtained all of the API Keys used to carry out the misconduct described in this Complaint is unknown, but it appears that Defendants have engaged in a pattern of systematic API Key theft that enabled them to steal Microsoft API Keys from multiple Microsoft customers,” the statement read.

Legal verdict and future solutions

According to Microsoft, the defendants particularly targeted United States users, with the company claiming that the group used the stolen Azure OpenAI Service API keys to create a scheme it called ‘hacking-as-a-service’. The complaint mentioned that the defendants created a tool called De3u, which works on the client side. They also created another software that processed and routed communication from De3u to the company’s systems.

The firm noted that De3u leveraged the stolen API credentials to enable users to generate images using DALL-E, one of the OpenAI services open to users. However, the twist is that they can do so without writing their own codes. The filing also alleged that De3u also tried to stop the Azure OpenAI Service from reviewing prompts used to create images. The complaint mentioned that this only happens in a case where a prompt contains words that trigger the content filtering system on its platform.

A repo containing the De3u code, which was noted on Microsoft-owned GitHub had been removed at the time of writing. Microsoft noted that the combination of the stolen Azure OpenAI Service API keys and the tools allowed the defendants to circumvent its content measures. “These features, combined with Defendants’ unlawful programmatic API access to the Azure OpenAI service, enabled Defendants to reverse engineer means of circumventing Microsoft’s content and abuse measures,” the company said.

Meanwhile, the company, in a recent blog post, has mentioned that the court has approved its plea to seize a website integral to the defendants’ operations. Microsoft will use the opportunity to gather evidence and figure out how the service is being monetized in order to remove any technical infrastructure that is still remaining. The firm said it has put in measures to plug the gap, noting new safety measures for the Azure OpenAI Service. The company is also seeking injunctive and other equitable reliefs and damages.

From Zero to Web3 Pro: Your 90-Day Career Launch Plan