Microsoft Data Breaches: Full Timeline Through 2022

The most recent Microsoft breach occurred in October 2022, when data on over 548,000 users was found on an misconfigured server. Below, you’ll find a full timeline of Microsoft data breaches and security incidents, starting with the most recent.

October 2022: 548,000+ Users Exposed in BlueBleed Data Leak

On October 19th, security firm SOCRadar identified over 2.4 terabytes of exposed data on a misconfigured Microsoft endpoint. By SOCRadar’s account, this data pertained to over 65,000 companies and 548,000 users, and included customer emails, project information, and signed documents.

Microsoft acknowledged the data leak in a blog post. They also said they had secured the endpoint and notified the accounts that had been compromised, and elaborated that they found no evidence customer accounts had actually been compromised — only exposed. Microsoft also disputed some key details of SOCRadar’s findings:

After reviewing their blog post, we first want to note that SOCRadar has greatly exaggerated the scope of this issue.  Our in-depth investigation and analysis of the data set shows duplicate information, with multiple references to the same emails, projects, and users. We take this issue very seriously and are disappointed that SOCRadar exaggerated the numbers involved in this issue even after we highlighted their error.

March 2022: Lapsus$ Group Breaches Microsoft

On March 20, 2022, the hacker group Lapsus$ posted a screenshot to their Telegram channel indicating that they had breached Microsoft. The screenshot was taken within Azure DevOps, a collaboration software created by Microsoft, and indicated that Bing, Cortana, and other projects had been compromised in the breach.

On March 22, Microsoft issued a statement confirming that the attacks had occurred. In it, they asserted that no customer data had been compromised; per Microsoft’s description, only a single account was hijacked, and the company’s security team was able to stop the attack before Lapsus$ could infiltrate any deeper into their organization.

In a lengthy blog post, Microsoft’s security team described Lapsus$ as “a large-scale social engineering and extortion campaign against multiple organizations with some seeing evidence of destructive elements.” They go on to describe the group’s tactics in great detail, indicating that Microsoft had been studying Lapsus$ carefully before the incident occurred.

For their part, Lapsus$ has repeatedly stated that their motivations are purely financial: “Remember: The only goal is money, our reasons are not political.” They appear to exploit insider threats, and recently posted a notice asking tech workers to compromise their employers.

You can read more in our article on the Lapsus$ group’s cyberattacks.

August 2021: Organizations Expose 38 Million Records Due to Power Apps Misconfiguration

In August 2021, word of a significant data leak emerged. The issue arose due to misconfigured Microsoft Power Apps portals settings. Overall, at least 47 companies unknowingly made stores data publicly accessible, exposing at least 38 million records.

Since dozens of organizations – including American Airlines, Ford Motor Co., and the New York Metropolitan Transportation Authority – were involved, the nature of the exposed data varied. In some cases, it was employee file information. In others, it was data relating to COVID-19 testing, tracing, and vaccinations. Some records contained highly sensitive personal information, such as full names, birth dates, Social Security numbers, addresses, and demographic details.

The issue was discovered by UpGuard, a cybersecurity firm, and was promptly reported to Microsoft and impacted organizations, allowing the tech giant and the other companies and agencies to address the problem and plug the leaks. It isn’t known whether the information was accessed by cybercriminals before the issues were addressed.

The misconfiguration in this case happened on the part of the third-party companies, and was not directly caused by Microsoft. Microsoft did publish Power Apps documentation describing how certain data could end up publicly accessible. But there weren’t any other safeguards in place, such as a warning notification inside the software announcing that a system change would make the data public.

Many feel that a simple warning in technical documentation isn’t sufficient, potentially putting part of the blame on Microsoft. However, the organizations are ultimately the ones that applied the settings, making them responsible for the leaks, as well.

August 2021: Thousands of Microsoft Azure Customer Accounts and Databases Exposed

In August 2021, security professionals at Wiz announced that they were able to access customer databases and accounts housed on Microsoft Azure – a cloud-based computing platform – including records and data relating to many Fortune 500 companies. They were researching the system and discovered various vulnerabilities relating to Cosmos DB, the Azure database service.

Through the vulnerabilities, the researchers were able to gain complete access to data, including a selection of databases and some customer account information relating to thousands of accounts. Aside from the researchers, it isn’t clear whether the data was accessed by third parties, including potential attackers.

In this case, Microsoft was wholly responsible for the data leak. The flaws in Cosmos DB created a functional loophole, enabling any user to access a slew of databases and download, alter, or delete information contained therein.

April 2021: 500 Million LinkedIn Users’ Data Scraped and Sold

In April 2021, personal data on over 500 million LinkedIn users was posted for sale on a hacker forum. A representative for LinkedIn reported to Business Insider that this data was scraped from publicly available data on the platform. The data included information such as email addresses and phone numbers – all the more reason to keep sensitive details from public profiles.

January 2021: Microsoft Exchange Server Vulnerability Leads to 60,000+ Hacks

In one of the broadest security incidents involving Microsoft, four zero-day vulnerabilities led to widespread hacking attempts targeting Microsoft Exchange Servers. While the exact number isn’t clear, the issue potentially impacted over 30,000 U.S. companies, and as many as 60,000  companies worldwide.

This incident came to light in January 2021 when a security specialist noticed some anomalous activity on a Microsoft Exchange Server operated by a customer – namely, that an odd presence on the server was downloading emails. After digging deeper, the specialist noticed more unexpected activities, including requests relating to specific emails and for confidential files.

As the specialist looked for more details regarding what was happening, more hacking activity was uncovered. In relatively short order, it was determined that four zero-day vulnerabilities were allowing unauthorized parties to access data, deploy malware, hijack servers, and access backdoors to reach other systems.

While Microsoft worked quickly to patch the vulnerabilities, securing the systems relied heavily on the server owners. If the proper updates weren’t applied, the issues remained in place, allowing attackers to take advantage of the flaw long-term.

The total damage from the attack also isn’t known. Mainly, this is because the resulting hacks weren’t all administered by a single group for one purpose. As a result, the impact on individual companies varied greatly.

Additionally, it wasn’t immediately clear who was responsible for the various attacks. In July 2021, the Biden administration and some U.S. allies formally stated that they believed China was to blame. Some of the original attacks were traced back to Hafnium, which originates in China. However, with the sheer volume of hacks, it’s likely that multiple groups took advantage of the vulnerability.

December 2020: Microsoft and 18,000 Other SolarWinds Customers Targeted with Malicious Update

In December 2020, vulnerabilities associated with SolarWinds – an infrastructure monitoring and management software solution – were exploited by Russian hackers. Attackers gained access to the SolarWinds system, giving them the ability to use software build features. The hackers then pushed out malicious updates to approximately 18,000 SolarWinds customers utilizing a supply chain attack approach, giving them access to the customers’ systems, networks, and data.

Once the hackers could access customer networks, they could use customer systems to launch new attacks. Along with distributing malware, the attackers could impersonate users and access files.

Among the targeted SolarWinds customers was Microsoft. Once its system was impacted, additional hacking activity occurred through its systems, allowing the attackers to reach Microsoft customers as a result.

The full scope of the attack was vast. Numerous government agencies – including the Department of Defense, Department of Homeland Security, Department of Justice, and Federal Aviation Administration, among others – were impacted by the attack. Additionally, several state governments and an array of private companies were also harmed.

As Microsoft continued to investigate activities relating to the SolarWinds hackers – which Microsoft dubbed “Nobelium” – it determined that additional systems had been compromised by the attackers. The tech giant announced in June 2021 that it found malware designed to steal information on a customer support agent’s computer, potentially allowing the hackers to access basic account information on a limited number of customers.

December 2019: Over 250 Million Microsoft Customer Records Exposed

In January 2020, news broke of a misconfigured Microsoft internal customer support database that left records on 250 million customers were exposed. The database wasn’t properly password-protected for approximately one month (December 5, 2019, through December 31, 2019), making the details accessible to anyone with a web browser who managed to connect to the database.

Along with some personally identifiable information – including some customer email addresses, geographical data, and IP addresses – support conversations and records were also exposed in the incident. The main concern is that the data could make the customers prime targets for scammers, as it would make it easier for them to impersonate Microsoft support personnel.

The database contained records collected dating back as far as 2005 and as recently as December 2019. While it’s known that the records were publicly accessible, it isn’t clear whether the data was actually accessed by cybercriminals.

April 2019: Compromised Support Agent Credentials Give Hackers Access Webmail Accounts

In April 2019, Microsoft announced that hackers had acquired a customer support agent’s credentials, giving them access to some webmail accounts – including @outlook.com, @msn.com, and @hotmail.com accounts – between January 1, 2019, and March 28, 2019. The credentials allowed the hackers to view a limited dataset, including email addresses, subject lines, and folder names.

It isn’t clear how many accounts were impacted, though Microsoft described it as a “limited number.” Additionally, the tech giant asserted that email contents and attachments, as well as login credentials, were not compromised in the hack.

November 2016: Hundreds of Skype Accounts Hacked to Send Spam Messages

In November 2016, word of pervasive spam messages coming from Microsoft Skype accounts broke. The messages were being sent through compromised accounts, including users that signed up for Microsoft’s two-factor authentication. Overall, hundreds of users were impacted.

Microsoft asserted that there was no data breach on their side, claiming that hackers were likely using stolen email addresses and password combinations from other sources to access accounts. However, the failure of the two-factor authentication system places at least some of the blame on the tech giant.

One main issue was the implementation of a sign sign-in system that allowed users to link their Microsoft and Skype accounts. With that in place, many users were unaware that their previous, separate Skype password remained stored, allowing it to be used to login to Skype specifically from other devices. If hackers gained access to that Skype password, they could effectively bypass the two-factor authentication, giving them access.

Microsoft released guidance on how to fully merge the Microsoft and Skype account data, giving users a solution. However, it required active steps on the part of the user and wasn’t applied by Microsoft automatically.

May 2016: 33 Million Stolen Hotmail Credentials Discovered for Sale Online

In May 2016, security experts discovered a data cache featuring 272.3 million stolen account credentials. While the bulk was for a Russian email service, approximately 33 million – about 12 percent of the total stash – were for Microsoft Hotmail accounts.

At the time, the cache was one of the largest ever uncovered, and only came to light when a Russian hacker discussed the collected data on an online forum. The hacker was charging the equivalent of less than $1 for the full trove of information.

October 2013: Internal Microsoft Bug Tracking Database Compromised

In October 2017, word broke that an internal database Microsoft used to track bugs within Microsoft products and software was compromised back in 2013. The extent of the breach wasn’t fully disclosed to the public, though former Microsoft employees did state that the database contained descriptions of existing vulnerabilities in Microsoft software, including Windows operating systems.

With information from the database, attackers could create tools to break into systems by exploring the vulnerabilities, potentially allowing them to target hundreds of millions of computers. However, it isn’t clear whether the information was ultimately used for such purposes.

March 2013: 3,000 Xbox Live Users Credentials Exposed

In March 2013, nearly 3,000 Xbox Live users had their credentials exposed after participating in a poll and entering a prize draw. The details – which included names, gamer tags, birthdays, and emails – were accidentally published online and not accessed via a hack. However, it wasn’t clear if the data was subsequently captured by potential attackers.

June 2012: Malware Disguised as Legitimate Microsoft Update Sent to Hundreds of Computers

In June 2012, word of a man-in-the-middle attack that allowed hackers to distribute malware by disguising the malicious code as a genuine Microsoft update emerged. Flame wasn’t just capable of infecting machines; it could also spread itself through a network using a rogue Microsoft certificate.

When an unharmed machine attempted to apply a Microsoft update, the request was intercepted before reaching the Microsoft update server. Then, Flame returned a malicious executable file featuring a rogue certificate, causing the uninfected machine to download malware. Creating the rogue certificate involved exploiting the algorithm Microsoft used to set up remote desktops on systems, allowing code to be crafted that appeared to come from Microsoft.

Overall, Flame was highly targeted, limiting its spread. Overall, it’s believed that less than 1,000 machines were impacted.

2011 through 2013: Xbox Underground Repeatedly Hacks Microsoft

A hacking group known as the Xbox Underground repeatedly hacked Microsoft systems between 2011 and 2013. Along with accessing computer networks without authorization, the group used stolen credentials to get into a secured building and acquired development kits. Additionally, they breached certain developer systems, including those operated by Zombie Studios, a company behind the Apache helicopter simulator used by the U.S. military.

Several members of the group were later indicted, and one member, David Pokora, became the first foreign hacker to ever receive a sentence on U.S. soil. He was imprisoned from April 2014 until July 2015.

December 2010: Microsoft BPOS Data Leak Exposes Customer Information to Other BPOS Customers

In December 2010, Microsoft announced that Business Productivity Online Suite (BPOS) – a cloud service – customers’ data was accessible to other users of the software. A configuration issue allowed customers to download Offline Address Books – which contained business contact information for employees – of other users inadvertently.

Microsoft stated that “a very small number” of customers were impacted by the issue. Additionally, the configuration issue involved was corrected within two hours of its discovery.

January 2010: Microsoft Internet Explorer Zero-Day Flaw Allows Hackers to Breach Major U.S. Companies

In January 2010, news broke of an Internet Explorer zero-day flaw that hackers exploited to breach several major U.S. companies, including Adobe and Google. The vulnerability allowed attackers to gain the same access privileges as an authorized user with administrative rights, giving the hackers the ability to take complete control of an impacted system. Once within the system, attackers could also view, alter, or remove data, create new user accounts, and more.

For example, through the flaw – which was related to Internet Explorer 6, specifically –attackers gained the ability to download malware onto a Google employee’s computer, giving them access to proprietary information. Hackers also had access relating to Gmail users.

Microsoft had been aware of the problem months prior, well before the hacks occurred. Additionally, Microsoft hadn’t planned to release a patch until the next scheduled major update for Internet Explorer, though it ultimately had to accelerate its plan when attackers took advantage of the vulnerability.