I've seen Azure OpenAI leak other customer's prompt responses to us under heavy load.

https://x.com/DaveManouchehri/status/2037001748489949388

Nobody seems to care.

This is insane, when you say azure OpenAI, do you mean like github copilot, microsoft copilot, hitting openai’s api, or some openai llm hosted on azure offering that you hit through azure? This is some real wild west crap!

The latter, their arrangement with OpenAI enabled this.

I have noticied a similar bug on Copilot. I noticed a chat session with questions that I had no recollection of asking. I wonder if it's related. I brushed it off as the question was generic.

I would guess that Copilot uses Azure OpenAI.

In my small sample size of a bit over a 100 accidentally leaked messages, many/most of them are programming related questions.

It's easy to brush it off as just LLM hallucinations. Azure OpenAI actually shows me how many input tokens were billed, and how many input tokens checked by the content filter. For these leaked responses, I was only billed for 8 input tokens, yet the content filter (correctly) checked >40,000 chars of input token (which was my actual prompt's size).

I'd assume they mean https://azure.microsoft.com/en-us/products/ai-foundry/models...

Correct.

If this is real, the scary part isn't that it happened. The scary part is Microsoft not acknowledging/publishing/warning that it happened. "We gave your data to other people" is one of those things you should really tell people.

That is absolutely insane.

Yeah, I saw over 100 leaked messages.

Fun ones include people trying to get GPT to write malware.

  I can’t help create software that secretly runs in the background, captures user activity, and exfiltrates it. That would meaningfully facilitate malware/spyware behavior.

  If your goal is legitimate monitoring, security testing, or administration on systems you own and where users have given informed consent, I can help with safe alternatives, for example:

  - Build a visible Windows tray app that:
    - clearly indicates it is running
    - requires explicit opt-in
    - stores logs locally
    - uploads only to an approved internal server over TLS
  - Create an endpoint telemetry agent for:
    - process inventory
    - service health
    - crash reporting
    - device posture/compliance
  - Implement parental-control or employee-monitoring software with:
    - consent banners
    - audit logs
    - uninstall instructions
    - privacy controls and data retention settings

  I can also help with defensive or benign pieces individually, such as:

  - C# Windows Service or tray application structure
  - Secure HTTPS communication with certificate validation
  - Code signing and MSI installer creation
  - Local encrypted logging
  - Consent UI and settings screens
  - Safe process auditing using official Windows APIs
  - How to send authorized telemetry to your own server

  If you want, I can provide a safe template for a visible C# tray app that periodically sends approved system-health telemetry to your server

Hope that person with the chest pain went to the doctor

?

Should be a high severity incident if data isoation has failed anywhere. And that is for SaaS let alone cloud provider.

Did you anomomize those? Did Azure dox them or send the templated version?

Azure sent them to me like that.

I only saw two companies mentioned in the messages I got back. I reached out to both to try to confirm, but never heard back.

There's only very niche fields where closed-source code quality is often better than open-source code.

Exploits and HFT are the two examples I can think of. Both are usually closed source because of the financial incentives.

Here we can start debating what means better code.

I haven’t seen HFT code but I have seen examples of exploit codes and most of it is amateur hour when it comes to building big size systems.

They are of course efficient in getting to the goal. But exploits are one off code that is not there to be maintained.

Would you be open to offering MASQUE proxying? I started to as support to GOST, been testing with Bright Data (only for UDP sadly, not TCP), but would love to see others add support so I could test with more than just 1 vendor.

https://github.com/go-gost/x/pull/75

https://github.com/go-gost/x/pull/76

Would a similar technique work for tunnels through QUIC?

I mentioned this in a podcast recently; fingerprinting of proxy servers using QUIC is a lot harder as UDP doesnt have enough headers to allow for unique characteristics like a TCP does.

Theres no way to include a timestamp in a UDP datagram so all timestamps received would be from the client machine.

Interesting!

So far I've only seen Bright Data (among the large players) offer UDP proxying over QUIC/HTTP3, but that's pretty limiting since less than half of sites have HTTP/3 enabled to begin with.

BrighData offer H3/QUIC but only in beta and you have to contact their sales team as far as I'm aware.

We (PingProxies) might be the only company to offer H3 to the proxy/QUIC to the target using the CONNECT-UDP method publicly. Although, it is in beta/unstable until I merge my changes into Rust's H3 library.

If you wanna play around with it, email me and I'll get you some credit. I think theres potential for stealth since outdated proxy clients/servers mean automated actors never use H3.

The proxy industry is full of another 100 companies saying they offer H3/QUIC, when they mean UDP proxying using SOCKS. I suppose the knowledge gap and what customers care about (protocol to end target) is very different to what I care about (being right/protocol to the proxy server).

> BrighData offer H3/QUIC but only in beta and you have to contact their sales team as far as I'm aware.

That's what I thought too, but it's working for me. (I've sent a lot of tickets, maybe they've put our account as something special without telling me, but doubt it.)

> If you wanna play around with it, email me and I'll get you some credit.

Done, emailed! :) Thanks!

> The proxy industry is full of another 100 companies saying they offer H3/QUIC, when they mean UDP proxying using SOCKS.

Out of the large players I've tested, none actually seem to even support SOCKS5's UDP ASSOCIATE. (I have not tested PingProxies yet.)

> I suppose the knowledge gap and what customers care about (protocol to end target) is very different to what I care about (being right/protocol to the proxy server).

I think there's a knowledge gap between the people making the sales landing pages, and the folks who actually run/maintain the proxy servers. There's some large vendors that advertise UDP support (for residential and/or mobile proxies) that I have yet to actually see working.

Yeah, I was often the single source of reporting Claude outages (or even missing support completely) on less commonly used Amazon Bedrock regions.

Which regions were you using ? ( Thought claude had global inference support that routed to all regions)

I believe I was using us-east-2.

In the early days of cross-region inference, less people were using it, and there was basically no monitoring (and/or alerting) on Amazon's side.

The cross-region and global inference routing is... odd at times.

I wrote a Telegram translate bot that uses Opus 4.5 for outgoing messages.

Super simple, yet it’s already good enough that I’ve had detailed conversations and debates in languages that I don’t speak at all.

https://github.com/aimoda/telegram-auto-translate

LiteLLM was good in the early days. I ran into more features than bugs. Sadly in the past year or so, I run into more bugs than features.

I documented the process of using AWS SES from a Cloudflare Worker about a year ago.

https://www.ai.moda/en/blog/ses-emails-from-workers

Hopefully it’s helpful next time for you!

I used to own spyware.tk until I forgot to renew it and the registrar disappeared. Sad I had to let that one go.

I don’t think Cloudflare is using B2; Backblaze isn’t listed as a sub-processor.

https://www.cloudflare.com/gdpr/subprocessors/cloudflare-ser...

Woops, I meant R2.

Yeah it should be cloudflare R2