Microsoft employees accidentally exposed login credentials for important internal systems

nanoguy

Posts: 1,243   +24
Staff member
Why it matters: Over the past several years, Microsoft has built a massive cybersecurity business that can analyze trillions of threat signals every day. That said, it has difficulties dealing with the risks of accidental source code leaks and credential exposure. According to one cybersecurity firm, this is one of the main challenges faced by companies in this era of hybrid work.

It's an open secret that Microsoft has a $15 billion cybersecurity business outpacing all other products and services the company offers. Office 365, Azure, and Xbox are still big cash cows for the Redmond giant, but it's hard to ignore the fact that almost a third of the overall revenue comes from identifying emerging security threats, dismantling botnets, and helping various organizations secure their hybrid work infrastructure.

However, a cybersecurity firm called SpiderSilk (via Vice Motherboard) believes Microsoft also needs to improve its own security posture. Apparently, several Microsoft employees didn't follow good security practices and managed to expose sensitive login credentials on GitHub.

Microsoft, which owns GitHub, confirmed the findings. It turns out the exposed credentials were for Azure, which is Microsoft's cloud service. All of them were linked to an official Microsoft tenant ID and some were still active when SpiderSilk discovered them. A Microsoft spokesperson explained there's no evidence of unauthorized access and the company is already taking steps to prevent further accidental sharing of credentials.

This means the Redmond giant does move quickly when it comes to reducing the attack surface of its corporate infrastructure, but it also highlights the importance of security hygiene at a time when the number of cyberattacks, ransomware campaigns, and data breaches is surging. According to Check Point Software, the frequency of these attacks has increased by 42 percent globally in the first half of 2022 compared to the same period of last year.

For obvious reasons, the company was reluctant to say what internal systems could be accessed through the exposed credentials. At least in theory, once an attacker gains access to one point of interest, they may be able to move horizontally or vertically through the corporate infrastructure. For instance, machine-to-machine credentials that enable seamless integration between services can sometimes give almost unfettered access to an organization's systems.

Mossab Hussein, SpiderSilk's chief security officer, notes that "we continue to see that accidental source code and credential leakages are part of the attack surface of a company, and it's becoming more and more difficult to identify in a timely and accurate manner. This is a very challenging issue for most companies these days."

Over the past few years, SpiderSilk researchers have reported on several security incidents, including a massive Samsung data leak, exposed passwords of Elsevier users, personal information of WeWork customers being uploaded by developers, and a leaked list of Electronic Arts Slack channels.

In related news, Microsoft recently disrupted a multiyear cyber-espionage campaign of a Russian state-sponsored group known as "Seaborgium." The threat actor had been doing a mix of social engineering, credential theft, and sophisticated impersonation of business contacts to target key individuals in NATO countries.

The company has also started rolling out a tamper protection feature for Microsoft Defender for Endpoint on macOS, which is a boon for sysadmins dealing with Apple machines.

Masthead credit: Turag Photography

Permalink to story.

 

DSirius

Posts: 366   +760
TechSpot Elite
Since Google released Android as Open source and more people use smartphones instead of PC, Microsoft could not justify anymore the hiked price of Windows licenses. So they had to move to other businesses to milk customers. It seems that security is one of them, though is clear that with their credibility becoming lower and lower Microsoft has to find other businesses.
 

Burty117

Posts: 4,600   +2,901
I'd be surprised if the credentials actually got you into the tenant though.
I know people who work at Microsoft and it shouldn't come as a suprise that MFA is mandatory.

Don't get me wrong, it's definitely better no one knows your credentials to start with but I doubt this actually lead to any damage either.

Also, I hope the employee gets the sack. It's been common knowledge not to put your credentials in plain text on the public internet since the inception of the internet...
 

Theinsanegamer

Posts: 3,755   +6,535
Man, remember how loudly and how insistently it was proclaimed that Microsoft's acquisition of GitHub would not impact how they operate?
Honestly anyone who believed that belongs in a home somewhere. MS ruins everything it touches.
Since Google released Android as Open source and more people use smartphones instead of PC, Microsoft could not justify anymore the hiked price of Windows licenses. So they had to move to other businesses to milk customers. It seems that security is one of them, though is clear that with their credibility becoming lower and lower Microsoft has to find other businesses.
You say all that but they had yet another record quarter. Despite doing so much dumb stuff people keep buying from MS. It's depressing.
 

DSirius

Posts: 366   +760
TechSpot Elite
Honestly anyone who believed that belongs in a home somewhere. MS ruins everything it touches.
You say all that but they had yet another record quarter. Despite doing so much dumb stuff people keep buying from MS. It's depressing.
As soon as Windows will not be the dominant OS for users, Microsoft entire business will fall. Android is eroding them step by step, and Linux is dominant in servers. As soon as Steam OS present in Steam Deck will become more and more popular, peoples will shift from Windows.
 

brucek

Posts: 1,288   +1,916
It's an open secret that Microsoft has a $15 billion cybersecurity business
News to me - what form do these revenues take? Are they consulting contracts with governments and large companies? Is there a product line I'm unfamiliar with?

And all this time I thought Microsoft was supporting itself with the super cheesy casino ads that play within Microsoft Solitaire (kidding.)