Hacker gains access to a small number of Microsoft’s private GitHub repos

A hacker has gained access to a Microsoft employee’s GitHub account and has downloaded some of the company’s private GitHub repositories.

The intrusion is believed to have taken place in March, and came to light this week when the hacker announced plans to publish some of the stolen projects on a hacking forum.

While ZDNet has confirmed with multiple Microsoft employees that at least a small portion of the stolen files are authentic, we have been told that the hacker did not gain access to the source code of any major Microsoft core projects, such as Windows and Office.

Microsoft employees who commented on the leak have told ZDNet that such major projects are hosted internally at Microsoft and not on the company’s public GitHub portal.

The number of private repos believed to have been acquired by the hacker is believed to be around 1,200.

A Microsoft spokesperson told ZDNet earlier today that the company is investigating the incident, but did not want to comment further.

Nothing of actual importance leaked

With the help of cyber-security firms Nightlion Security and Under the Breach, ZDNet has obtained copies of files the hacker shared online this week.

This includes a list of all the files and directories downloaded from Microsoft’s private GitHub repositories.


Image: ZDNet

We also received three projects, including full source code, of private Microsoft projects.

msft-leak-asked.png

Image: ZDNet
msft-leak.png

Image: ZDNet

This reporter and ZDNet‘s Microsoft writer Mary Jo Foley have spoken yesterday and today with multiple Microsoft software engineers on the promise of anonymity. Sources have now confirmed that files and directories included on the list shared by the hacker did indeed contain projects that were stored in Microsoft’s GitHub account as private repositories.

Other Microsoft employees made their assessment public, also confirming the leak’s authenticity.

msft-hack-twitter.png

Image: ZDNet

Microsoft engineers who initially told us yesterday that “the leak was a scam” have now walked back their comments as news of the leak spread inside the company, and some employees confirmed its partial authenticity.

Employees who commented publicly on the leak as being a scam have also deleted their tweets.

A nothingburger?

We say “partial authenticity” because a large portion of the files and directories listed by the hacker do not appear to be Microsoft-related projects, or are open-source projects that have been public for years and have no affiliation to Microsoft. It is unclear how these GitHub repositories got on the hacker’s list.

ZDNet was told that none of the authentic Microsoft projects obtained by the hacker are even remotely sensitive. Internal policy is that the Microsoft GitHub account is to be used to host and share open-source projects and documentation. The Microsoft GitHub account is also used to host private projects that are to be made available under an open-source license in the future.

Furthermore, some employees said that their own private projects hosted on Microsoft’s official GitHub account were not included in the list of files obtained by the hacker, which means the threat actor only gained access to only a fraction of the non-sensitive information stored in Microsoft’s account.

The only sensitive issue might be that some projects could contain access tokens and API credentials that may now have to be revoked.

Under the Breach, which had direct contact with the hacker, has told ZDNet today that the attacker has now lost access to Microsoft’s private GitHub repositories, as Microsoft staff appears to have identified the compromised employee GitHub account.

The hacker behind this incident is the same individual behind the Tokopedia hack that ZDNet disclosed on Saturday.

Additional reporting by Mary Jo Foley.