February 18, 2026

From Copilot to Copi-leak

Article URL →HN comments →

Microsoft says bug causes Copilot to summarize confidential emails

Users fume as 'confidential' got summarized — trust broken or just a glitch

TLDR: Microsoft admits a bug let Copilot summarize “confidential” emails in Sent and Drafts; a fix is rolling out, scope still unclear. Commenters split between outrage over a trust breach, pragmatic notes that it stayed within your own mailbox, and a bigger debate about AI needing access versus respecting boundaries.

Microsoft’s Copilot just wandered into the “do not touch” zone: a bug made it summarize emails in your Sent and Drafts, even when they were marked confidential and guarded by data‑loss rules. The company says it’s a code slip (tagged CW1226324), first spotted Jan 21, with a fix rolling out since early February and ongoing checks with affected users. But the comment section? Absolutely on fire.

One camp is furious about the advisory label—typically used for “limited impact”—with one user demanding to know how a privacy lapse gets downplayed as an advisory. Another crew is trying to calm the room: as user codeulike notes, this wasn’t snooping in other people’s inboxes, it was your own mailbox—still wrong, but a scope check. Then there’s the philosophical take: indiekitai argues this is the AI paradox in action—assistants need wide access to be helpful, but drawing the lines cleanly is hard and will keep biting us.

Meanwhile, meme-lords showed up with “A bug here and a bug there…” vibes, and jokes about Copilot reading your drafts like a nosy roommate. There’s even timeline drama: one user claims Feb 3 as the start date, nudging the “who knew time is a bug” crowd. Microsoft’s status notes say they’re monitoring, but trust? That’s the real patch everyone’s waiting on.

Key Points

  • A Microsoft 365 Copilot Chat 'work tab' bug caused summarization of emails in Sent and Drafts, including those with confidentiality/sensitivity labels.
  • The issue is tracked as CW1226324 and was first detected on January 21.
  • Microsoft attributed the problem to a code error and began deploying a fix in early February.
  • Microsoft is monitoring the fix rollout and contacting a subset of affected users to verify effectiveness.
  • No final remediation timeline or impact scope has been provided; the incident is tagged as an advisory indicating typically limited impact.

Hottest takes

"A bug here and a bug there..." — dolphinscorpion
"How is having Copilot breach trust and privacy an “advisory”?" — childofhedgehog
"they need broad access to be useful, but that access is hard to scope correctly" — indiekitai

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.