Lapsus$ Hackers Leak 37GB of Microsoft’s Alleged Source Code


The Lapsus$ hacking group claims to have leaked source code for Bing, Cortana and other stolen projects from Microsoft’s internal Azure DevOps server.

Early Sunday morning, the Lapsus$ gang posted a screenshot on their Telegram channel indicating that they had hacked into Microsoft’s Azure DevOps server containing source code for Bing, Cortana, and various other internal projects.

Screenshot of Microsoft's Azure DevOps account leaked by Lapsus$
Screenshot of Microsoft’s Azure DevOps account leaked by Lapsus$

On Monday night, the hacking group released a torrent for a 9GB 7zip archive containing source code for more than 250 projects they claim belong to Microsoft.

When releasing the torrent, Lapsus$ said it contained 90% Bing source code and around 45% Bing Maps and Cortana code.

Even though they say only part of the source code was leaked, BleepingComputer learns that the uncompressed archive contains approximately 37 GB of source code allegedly belonging to Microsoft.

Leaked source code projects
Leaked source code projects

Security researchers who looked into the leaked files told BleepingComputer that they appear to be legitimate Microsoft internal source code.

Additionally, we are told that some of the leaked projects contain emails and documentation that were clearly used internally by Microsoft engineers to release mobile apps.

The projects appear to be for web infrastructure, websites, or mobile apps, with no source code for released Microsoft desktop software, including Windows, Windows Server, and Microsoft Office.

When we contacted Microsoft about tonight’s source code leak, they continued to tell BleepingComputer that they were aware of the allegations and were investigating.

Lapsus$ leaks data left and right

Lapsus$ is a data extortion hacking group that compromises business systems to steal source code, customer lists, databases, and other valuable data. They then attempt to extort the victim with ransom demands for not disclosing the data publicly.

Over the past few months, Lapsus$ has revealed numerous cyberattacks against large companies, with confirmed attacks against NVIDIA, Samsung, Vodafone, Ubisoft, and Mercado Libre.

Most attacks so far have targeted source code repositories, allowing threat actors to steal sensitive proprietary data, such as NVIDIA’s Lite Hash Rate (LHR) technology that enables graphics cards to reduce the mining capability of a GPU.

It’s unclear how threat actors get into these repositories, but some security researchers believe they pay company insiders to gain access.

“From my perspective, they continue to gain their access using company insiders,” threat intelligence analyst Tom Malka says BleepingComputer.

This theory isn’t far-fetched, as Lapsus$ previously announced that it was willing to buy access to employee networks.

Lapsus$ recruits company insiders
Lapsus$ recruits company insiders

However, it may be more than that, as Lapsus$ has posted screenshots of their access to what they claim are Okta’s internal websites. As Okta is an authentication and identity management platform, if Lapsus$ were able to break into the business, they could potentially use it as a springboard for enterprise customers.

As for Lapsus$, they have gained a large following on Telegram, with over 33,000 subscribers on their main channel and over 8,000 on their chat channel.

The extortion group uses their very active Telegram channels to announce new leaks, attacks and chat with their fans, and they seem to enjoy notoriety.

With the RaidForums data breach forum closed, we’re likely to see many regulars of that site now interacting together on Lapsus$’s Telegram channels.

For now, we’ll likely see more breaches to come as Lapsus$ and their fans celebrate data leaks.