The hackers behind a recent attack against Indonesia’s Tokopedia have now targeted Microsoft. According to a report from HackRead, the hacking group, which calls itself “Shiny Hunters” (perhaps a Pokemon reference), gained access to Microsoft’s GitHub account. Shiny Hunters has been in direct contact with HackRead as it is clear that they want full credit for the breach. To prove the veracity of their claims, Shiny Hunters provided the following screenshots to HackRead showing various repositories:
The contents of the Microsoft GitHub account includes roughly 500GB of data that consists of various code samples, projects, eBooks, and much more. HackRead pointed to three particular items that were of particular interest, namely wssd cloud agent, the Rust/WinRT language projection, and PowerSweep (a Powershell-based ping sweeper). There has not been any private information confirmed to exist within the repositories. Shiny Hunters is also confirmed to have published around 1GB of data from the hacked GitHub account to a hacking forum.
Though these screenshots seem legitimate, there were some cybersecurity experts that doubted the claims until analyzing them. Upon analysis, however, the veracity of Shiny Hunters’ claims that they breached Microsoft’s GitHub account were no longer in question. In particular, Under the Breach stated the following in a tweet:
After some research and because the actor dumped the entire dirlist of the private repositories, it appears this is real.
I doubt there is anything too private in these repositories but companies do sometime leave keys/passwords on Github by mistake. pic.twitter.com/4L8s18hQA0
— Under the Breach (@underthebreach) May 6, 2020
Under the Breach went on to conduct an interview with HackRead in which they said the following:
While for some companies Github serves as a tool to store valuable source code in the form of private repositories, companies as large as Microsoft aren’t likely to do the same as they are self-sufficient and have secured internal systems designed to hold sensitive source codes... That being said, companies often do make mistakes such as leaving keys and passwords in these private repositories, forgetting they aren’t very safe. but Under the Breach contacted Microsoft to make sure they’re aware of the leak and will replace any keys or passwords exposed if there are any, the company explained.
Once contacted by Under the Breach, Microsoft secured their GitHub account. This is confirmed by Shiny Hunters as they report being unable to access any repositories. As GitHub is a Microsoft property, acquired to the tune of $7.5 billion in 2018, this is a PR nightmare. Microsoft’s security capabilities have long been questioned, as have their privacy practices, and this Shiny Hunters breach doesn’t help reduce skepticism. To have the company’s very own account accessed by a fresh face in cybercrime shows they do not have things under control.
GitHub users justifiably have many questions for the company following this, and Microsoft should prepare to deal with them.
Featured Image: GitHub