Updated March 23: Microsoft has confirmed that it was indeed breached, and we have more details.
Microsoft may have been hacked, with 37 GB of source code for Bing, Bing Maps and Cortana stolen. Or maybe not — Microsoft has yet to confirm the data theft, which was claimed over the weekend by a purportedly Brazilian group of hackers calling themselves Lapsus$.
The group seems amateurish, but its previous claims of hacking into the company networks of Nvidia, Samsung and Ubisoft have proven to be true. Today, enterprise single-sign-on provider Okta (opens in new tab) confirmed that Lapsus$ had indeed broken into its systems by stealing an employee password.
On Sunday (March 20), Lapsus$ put up what appeared to be screenshots of a Microsoft Azure DevOps cloud server containing the aforementioned items. Because the screenshot showed just part of an alphabetized list of projects, it's possible many other Microsoft assets were compromised.
On Monday (March 21), according to Bleeping Computer (opens in new tab), the Lapsus$ group posted a torrent link for a 9-GB compressed archive, which when unpacked seems to be 37 GB of web-based features and mobile apps. There didn't seem to be any desktop software, such as Windows or Microsoft Office, involved, but Bleeping Computer said the files sure looked real.
Whether Microsoft did indeed have several gigabytes of source code stolen, it's not clear exactly how that could affect the end user.
A French security researcher named Soufiane Tahiri claimed that valid Microsoft digital-signature certificates had been part of the Lapsus$ leak, which might let criminals and other attackers create malware that could get past Microsoft's defenses.
Just successfully signed an assembly using one of the #Microsoft's certificates from the #Lapsus leak. pic.twitter.com/EWtbpGhE6vMarch 22, 2022
However, Will Dormann of the U.S. government's CERT Coordination Center wasn't so sure.
I mean, I just made a signing certificate called "Microsoft" to sign mimikatz.exeIt's similarly untrusted.Does this prove anything? No. pic.twitter.com/FWbCTrhwxnMarch 22, 2022
For the moment, we're going to have to wait and see whether Microsoft confirms the data theft, or criminals really do start exploiting secrets disclosed by the apparently stolen data. We've reached out to Microsoft for comment and will update this story when we receive a reply.