Several people who appear to be Microsoft employees have leaked sensitive login credentials to the company’s own infrastructure on GitHub, potentially offering attackers a gateway into Microsoft’s internal systems, according to the cybersecurity research firm that discovered the exposed credentials. The motherboard reports: “We continue to see accidental source code and credential leaks as part of a company attack, and it’s becoming more and more difficult to detect in a timely and accurate manner. It’s a very difficult problem for most companies these days,” Massab Hussain, chief security officer of cyber security company spiderSilk, which discovered the problem, told Motherboard in an online chat. Hussain provided Motherboard with seven examples of exposed Microsoft logins. All of them were credentials for Azure servers. Azure is a Microsoft cloud computing service similar to Amazon Web Services. All exposed credentials were associated with an official Microsoft tenant ID. A tenant ID is a unique identifier associated with a specific set of Azure users. One GitHub user also pointed out Microsoft in your profile.
Three of the seven login credentials were still active when spiderSilk discovered them, with one appearing to have been uploaded just a few days ago at the time of writing. The remaining four credential sets were no longer active, but still highlighted the risk of employees accidentally downloading keys for internal systems. Microsoft declined to specify which systems protect the credentials when Motherboard asked several times. But generally speaking, an attacker may be able to move on to other points of interest after gaining initial access to an internal system. One GitHub profile with open and active credentials links to an Azure DevOps code repository. Underscoring the risk such credentials can pose, in an apparently unrelated breach in March, attackers gained access to an Azure DevOps account and then released a large amount of Microsoft source code, including for Bing and Microsoft’s Cortana assistant. “We’ve investigated and taken steps to protect these credentials,” a Microsoft spokesperson said in a statement. “Although they were inadvertently released, we have seen no evidence that sensitive data was accessed or that credentials were misused. We are continuing to investigate and will continue to take the necessary steps to prevent the inadvertent sharing of credentials.”