Microsoft has been the target of an attack by hacker group Lapsus$, with 37GB worth of internal files now showing up online. According to the hackers, the leak originates from an Azure DevOps server that the hackers managed to find their way into, and it contains source code for many Microsoft products, including Bing and Cortana.

The hacker group initially posted a screenshot of the files on Sunday, and then shared a 7-zip archive containing all of the files on Monday. The compressed file is only 9GB in size, but after uncompressing, it adds up to 37GB of source code for over 250 Microsoft projects, according to the hackers. Most of the projects are reportedly for web-based and mobile apps, so if you're hoping to see anything Windows-related here, you're out of luck.

List of files on an Azuure DevOps server
Purported Microsoft source code on Azure DevOps

The leak supposedly contains 90% of the source code for Microsoft's Bing Maps, and 45% of the source code for Bing itself and Cortana, and according to security researchers speaking with BleepingComputer, the files look like legitimate internal code from Microsoft. Additionally, emails and documentation Microsoft engineers used to publish mobile apps are apparently included in the leak.

Lapsus$ has garnered a bit of a reputation for hacking different companies in recent months. Among the victims, Samsung has had source code for its Galaxy phones stolen. NVIDIA, Ubisoft, and others are also included, so there are some pretty big names being targeted by this group. On their Telegram group, the hackers have a message looking for corporate insiders, suggesting this is how they manage to get into secure files at some of the largest companies in the world. It's also possible that they're leveraging Okta, an identity management platform that Lapsus$ claims to have hacked into.

Microsoft has yet to confirm whether the data leak contains legitimate data for Bing and other services, but it is investigating the claims. We'll likely hear from the company if it is confirmed that the data is real.


Source: Lapsus$ (Telegram)

Via: BleepingComputer