Microsoft may have been hacked — what this means for you

(Image credit: Josep Lago/AFP via Getty Images)

Updated March 23: Microsoft has confirmed that it was indeed breached, and we have more details.

Microsoft may have been hacked, with 37 GB of source code for Bing, Bing Maps and Cortana stolen. Or maybe not — Microsoft has yet to confirm the data theft, which was claimed over the weekend by a purportedly Brazilian group of hackers calling themselves Lapsus$.

The group seems amateurish, but its previous claims of hacking into the company networks of Nvidia, Samsung and Ubisoft have proven to be true. Today, enterprise single-sign-on provider Okta confirmed that Lapsus$ had indeed broken into its systems by stealing an employee password.

On Sunday (March 20), Lapsus$ put up what appeared to be screenshots of a Microsoft Azure DevOps cloud server containing the aforementioned items. Because the screenshot showed just part of an alphabetized list of projects, it's possible many other Microsoft assets were compromised.

On Monday (March 21), according to Bleeping Computer, the Lapsus$ group posted a torrent link for a 9-GB compressed archive, which when unpacked seems to be 37 GB of web-based features and mobile apps. There didn't seem to be any desktop software, such as Windows or Microsoft Office, involved, but Bleeping Computer said the files sure looked real.

Whether Microsoft did indeed have several gigabytes of source code stolen, it's not clear exactly how that could affect the end user.

A French security researcher named Soufiane Tahiri claimed that valid Microsoft digital-signature certificates had been part of the Lapsus$ leak, which might let criminals and other attackers create malware that could get past Microsoft's defenses.

Just successfully signed an assembly using one of the #Microsoft's certificates from the #Lapsus leak. pic.twitter.com/EWtbpGhE6vMarch 22, 2022

However, Will Dormann of the U.S. government's CERT Coordination Center wasn't so sure.

I mean, I just made a signing certificate called "Microsoft" to sign mimikatz.exeIt's similarly untrusted.Does this prove anything? No. pic.twitter.com/FWbCTrhwxnMarch 22, 2022

For the moment, we're going to have to wait and see whether Microsoft confirms the data theft, or criminals really do start exploiting secrets disclosed by the apparently stolen data. We've reached out to Microsoft for comment and will update this story when we receive a reply.

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.