Microsoft Github repository was indeed hacked; Unknown hacker accessed a small number of Microsoft’s private GitHub Repos
There is no smoke without fire. Four days back we had reported that an unknown hacker managed to access Microsoft’s GitHub repositories and had stolen nearly 500 gigs of the data cache. Now reports have come that indicate that Microsoft repositories on GitHub had indeed been hacked and an unknown hacker had indeed stolen some records.
However, the hacker was just able to gain access to an individual Microsoft employee’s GitHub account and had managed to download some of the company’s private GitHub repositories worth 500GB data trove. According to Microsoft, the data breach incident took place in March 2020 and only became known when the hacker announced plans to publish some of the stolen projects on a hacking forum. If you remember, a hacker who goes by the handle Shiny Hunters first contacted BleepingComputer and told them “he hacked into the Microsoft GitHub account, gaining full access to the software giant’s ‘Private’ repositories.”
ZDNet collaborated with Nightlion Security and Under the Breach to confirm the authenticity of the data dump claimed to have hacked by Shiny Hunters. The data accessed by them includes a list of all the files and directories downloaded from Microsoft’s private GitHub repositories.
The data was confirmed to be authentic and belonging to Microsoft’s GitHub repository by multiple Microsoft employees. Employees confirmed that Shiny Hunter did not gain access to the source code of any major Microsoft core projects, such as Windows 10 and Microsoft Office. This is because Microsoft hosts its major projects at a top-secret location internally and is only accessed by vetted employees.
The hack seems to have affected Microsoft’s Android projects most as you can see from the image.
Shiny Hunter has been able to steal approximately 1200 Microsoft private repos according to ZDNet. Like our readers, many in the security community refused to believe that any hacker had managed to breach the Microsoft GitHub repos. Even the Microsoft engineers had claimed, “the leak was a scam.” Now the engineers are eating a humble pie and have confirmed the data breach.
GitHub not secure for Microsoft
GitHub is owned by Microsoft. For the uninitiated, GitHub provides services of hosting repositories using Gits. It was Microsoft in 2018 for US$7.5 billion. If this is not an insider breach as is being claimed and Shiny Hunter managed to break into Microsoft’s GitHub, how are other developers who work on GitHub gits safe? Microsoft has to come clean about the whole matter in a transparent way.
However, as expected Microsoft has refused to comment on the Data Breach incident saying it is under investigation.