A hacker has come forward, claiming to have obtained over 500GB of ASCII text files from Microsoft’s personal GitHub archive. The service posted screenshots that attests it likely that the files obtained was on the 28th of March.
There has been great controversy over the files as the hacker forum post offering it for no cost at all. He tends to exaggerate its actual size, claiming the file on compressing it is 54GB and 500GB when you uncompress. In fact, on compressing, it is 64 GB; research attests to this.
However, the leaked data includes source codes for Azure, Office, and some Windows runtime files and APIs. Also, the files did not appear to include anything sensitive they probably contain passwords left by mistake in the code.
Dustin Metzgar, a former Microsoft software engineer for nearly ten years, says the code is unlikely to contain such data. This is because the tech giant puts in enormous effort and time to ensure removal of secrets from source code.
Metzgar tweeted that there are check-in gates and routine scans for anything that looks like a secret. Making real efforts though, rotating all certs and secrets as well. Nothing is foolproof.
Microsoft spokesperson confirmed that the company has declared cognizance of the allegement and has duly kickstarted an investigation, but there was no divulging of additional information. A Microsoft staff had responded to the Twitter post, claiming that the leak was a sham. Interestingly, the same staff took down the tweet quite shortly after. It is, in fact, worth the mention that Microsoft owns GitHub.
Appears to be real
Another twitter user, Nirmal Guru says the leaked source code appears to be real. He however casts the venture off as worthless and unbecoming as Microsoft reveals to the public at one stage or the other all private repositories on GitHub.
However, this seems to be far from the last of our worries as Under The Breach, a reputable source indeed, has reported that the cybercriminal responsible for this hack has also only recently leaked 15 million records stolen from Tokopedia, an e-commerce company based in Indonesia.