A hacker appears to have stolen a swathe of Microsoft source code from private GitHub repositories. The news was confirmed by Under the Breach after the attacker, who was behind the invasion of Indonesia’s Tokopedia, posted snippets online.
Screenshots of a directory listing indicate that the 63 GB of source code includes entries for Office, Azure, and some Windows runtimes. However, Microsoft employees speaking to ZDNet say that while at least a small portion of the stolen files are authentic, the source code of major products such as Windows and Office remain private. They also say some of their private projects were not included in the listing.
This is likely because vital Microsoft source code isn’t on a public-facing platform. For that, it has an internal GitHub portal that is only accessible to on-site engineers. Officially, the company says that it’s “investigating” the incident, which is thought to have taken place in March by a hacker with the handle ‘Shiny Hunters’.
Under the Breach, who had direct contact with the attacker, says the information was obtained via a compromised account, which Microsoft has now identified and secured. Investigations by ZDNet suggest that at least some of the files included in the dump aren’t from the company. Most of the files, according to HackRead, are from code samples, test projects, and eBooks.
Even so, some of the private projects could contain mistakes such as private passwords and keys. As a result, Microsoft will have to comb through exactly what was stolen and revoke access tokens if necessary. Essentially, it’s going to be a headache, but it should prove far from catastrophic for its projects.
The bigger concern may be the kind of image this projects to the developer community. Though an employee misstep or not, Microsoft has failed to protect its own code on its own platform. Critics of the company’s acquisition may use this as ammunition despite the fact there’s no evidence of a security flaw in GitHub itself.