Microsoft has undoubtedly become a household name since its founding, but its history is not squeaky clean. Throughout the years, Microsoft has suffered a long list of security incidents, many of which have put user data in peril. So, what are the biggest Microsoft hacks of the 21st century? And does this tech giant need better security?
1. The 2021 Exchange Server Breach
At the very start of 2021, on January 3, Microsoft’s Exchange platform servers began to be compromised through four zero-day software vulnerabilities.
It wasn’t until March of the same year that the scope of the attack became evident, with over 30,000 US-based organizations being attacked via these software flaws within Microsoft Exchange’s code. All in all, over 250,000 individual Exchange servers were hacked, with 7,000 of these being UK-based. Other countries, including Norway and Chile, were also affected.
The data stolen in this attack included email addresses and passwords of server users. Additionally, the attackers could add more backdoors for future exploits.
It didn’t take long for Microsoft to release the necessary patches, but this attack highlighted just how easily vulnerabilities can lead to huge hacking campaigns.
2. The Leak of 250 Million Customer Records
In early 2020, it was discovered that Microsoft had accidentally leaked over 250 million customer records. This huge exposure came as a result of a database that was not password-protected.
Much of the data exposed consisted of conversations between users and customer support representatives, which took place between 2005 and 2019. However, more sensitive information was released in certain instances, including customer IP and email addresses.
It only took 24 hours for Microsoft to secure the database, but it was already too late at this point.
3. The 2016 Hotmail Credentials Leak
In May 2016, numerous news outlets began reporting a huge hack that had resulted in the leak of user credentials from Google, Yahoo, and Microsoft. Over 270 million account credentials were stolen and put up for sale on illicit Russian marketplaces. 33 million of these were Hotmail credentials, an email service bought by Microsoft in 1997.
Luckily, the hacker who initially had possession of the credentials sold them to a security company in disguise, instead of another malicious individual looking to exploit them.
4. The 2022 Lapsu$ Data Breach
In March 2022, Microsoft confirmed that it had been attacked by a well-known hacker group called “Lapsu$”. This international hacking syndicate has made a name for itself by targeting many big names, including Nvidia and Samsung.
While Lapsu$ used to target organizations in South America and the UK, they have since set their sights on additional victims, including those within the US. This brazen hacking group turned its focus to Microsoft in early 2022.
In this instance, Lapsu$ (known officially by Microsoft as “DEV-0537”) managed to compromise a single Microsoft employee account and access parts of the Bing, Bing Maps, and Cortana source code.
Microsoft’s confirmation came after the Lapsu$ published this stolen source code in a torrent file. However, Microsoft alleged in a blog post regarding the incident that the theft and leak of the source code does not pose a security risk to the company or its users.
5. The 2010 Zero-Day Breach
In late 2009, Microsoft became aware of a critical zero-day security vulnerability. The company didn’t take any action until the next year when companies like Google and Adobe began to be targeted by cybercriminals via the vulnerability.
This flaw allowed malicious actors to deploy malware on target companies’ employee devices. The malicious software would then be leveraged to access private information from Google and Gmail.
This breach made Microsoft look particularly bad due to how the company handled issuing a remedy. It wasn’t until January 2010, three months after learning about the vulnerability, that Microsoft released a patch. What’s worse is that Microsoft initially planned to release the patch a month later, in February.
6. The 2023 Storm0558 Attack
In 2023, around 25 organizations, including government agencies, were attacked via two Microsoft security vulnerabilities. The malicious actor, based in China and known as Storm0558, managed to steal data from customers that use Outlook Web Access and Exchange Online.
Microsoft stated that it was believed the threat actor had goals of espionage. The company further confirmed that the attacker had acquired an MSA consumer signing key to conduct the attack.
According to a Wiz investigation, it wasn’t just Outlook Web Access and Exchange Online that were affected by the hack. Wiz reported that other Microsoft services, including Teams, OneDrive, and SharePoint, could also be exploited using the compromised MSA key.
Does Microsoft Need Better Security?
Microsoft is by no means lax in terms of security. The company ensures that its products have a solid level of user protection, including two-factor authentication, encryption, anti-spam filters, firewalls, and login alerts.
Of course, the presence of these features will depend on what Microsoft product you’re using. For instance, Windows operating systems come with default antivirus software, but Outlook will not.
The majority of the attacks listed above came as a result of a software vulnerability, so it seems more code audits may be the answer for Microsoft. The company already undergoes audits, be it for their software or business practices, but it appears that a large volume of vulnerabilities are still slipping through the cracks.
Releasing security patches as soon as vulnerabilities are identified may also be wise, even if the vulnerability is yet to be abused. This eliminates the chance of Microsoft or its users falling victim to attacks caused by software exploits.
However, these practices would require a lot of personnel and resources, as Microsoft has almost 400 software products out there today.
Microsoft Will Never Be Impervious to Hacks
Even if Microsoft were somehow able to increase its security twice over, it still wouldn’t be 100 percent immune from cyberattacks. Unfortunately, no software program, device, or component is totally safe from being exploited in some way, be it through vulnerabilities, malware, or other means.