Skip to content

Microsoft Data Breaches: Timeline Upto April 2023

microsoft data breaches with timeline

Microsoft is one of the world’s largest and most recognizable technology companies, with a wide range of products and services used by millions of people worldwide.

However, like many other large corporations, Microsoft has been the target of numerous data breaches over the years. These data breaches have resulted in the loss or theft of sensitive information, including personal and financial data belonging to millions of users.

Microsoft has taken various measures to address these data breaches and improve its security protocols, including investing in advanced cybersecurity technologies, increasing employee training on security best practices, and implementing multi-factor authentication for its users.

Despite these efforts, the threat of data breaches remains a significant challenge for Microsoft and other tech companies, highlighting the need for continued vigilance and investment in cybersecurity measures. Below is the list of Microsoft data breaches with the timeline.

October 2022 – Microsoft Data Breach

SOGRadar, a security firm, discovered more than 2.4 terabytes of data that was exposed due to a misconfigured Microsoft endpoint on October 19th.

According to SOGRadar, this data belonged to over 65,000 companies and 548,000 users and contained various types of information such as customer emails, project details, and signed documents.

In a blog post, Microsoft admitted to the data breach and stated that they had taken measures to secure the endpoint and notify the affected accounts.

They clarified that although customer accounts had been exposed, there was no evidence of actual compromise. Additionally, Microsoft contested certain aspects of SOCRadar’s discoveries.

“Upon examining their blog post, we would like to point out that the extent of this issue has been greatly overstated by SOCRadar. Our thorough examination and evaluation of the dataset indicate the presence of duplicated information, including numerous mentions of the same emails, projects, and users. We view this matter as significant and regret that SOCRadar continued to inflate the numbers involved in spite of our previous clarification of their mistake.”

March 2022 – Microsoft Data Breach

Lapsus$ posted a screenshot on their Telegram channel on March 20, 2022, revealing their successful breach of Microsoft.

The screenshot, captured from Microsoft’s collaborative software Azure DevOps, disclosed that various projects including Bing and Cortana had been compromised.

Microsoft released a statement on March 22 acknowledging the attacks and stating that no customer data was compromised.

According to their account, only one account was hijacked and their security team managed to thwart the attack before Lapsus$ could penetrate further into their systems.

Microsoft’s security team, in a lengthy blog post, outlined Lapsus$ as a “massive social engineering and extortion scheme targeting various organizations, with some experiencing signs of destructive components.”

The team further elaborated on the group’s strategies, indicating that Microsoft had been analyzing Lapsus$ closely prior to the incident.

Lapsus$ has consistently declared that their actions are solely driven by financial gain, stating, “Keep in mind: our objective is only money, and our intentions are not political.”

Their tactics seem to involve taking advantage of insider threats, as evidenced by a recent message encouraging tech employees to betray their companies.

August 2021 (1) – Microsoft Data Breach

In August 2021, news broke out about a major data breach caused by incorrect settings on Microsoft Power Apps portals.

As a result of this issue, confidential data from at least 47 companies were made publicly accessible without their knowledge, resulting in the exposure of over 38 million records.

The exposed data had varying natures due to the involvement of numerous organizations, which included American Airlines, Ford Motor Co., and the New York Metropolitan Transportation Authority.

The data included employee file information, COVID-19 testing, tracing, and vaccination data, and some records containing sensitive personal information, such as full names, birth dates, Social Security numbers, addresses, and demographic details.

UpGuard, a cybersecurity firm, identified the problem and quickly reported it to Microsoft and affected organizations.

This enabled the tech company, as well as other agencies and companies, to take corrective action and fix the leaks. Whether cybercriminals had accessed the information prior to the issue being resolved remains unclear.

In this instance, the misconfiguration was not directly caused by Microsoft but rather by third-party companies.

Although Microsoft did provide Power Apps documentation that explained how some data could become publicly accessible, no additional measures were in place, such as a notification within the software, to warn users that a system change could result in the data becoming public.

Some people believe that relying on a basic cautionary statement in technical materials is inadequate and may assign some fault to Microsoft.

Nevertheless, the organizations that implemented the configurations are ultimately accountable for the data breaches.

August 2021 (2) – Microsoft Data Breach

Security experts at Wiz revealed in August 2021 that they had successfully gained entry to customer databases and accounts stored on Microsoft Azure, a cloud computing platform. This included data and records related to numerous Fortune 500 firms.

During their investigation of the system, they uncovered several vulnerabilities related to Cosmos DB, the Azure database service.

The researchers managed to obtain unrestricted access to a variety of databases and certain customer account details for thousands of accounts, using the vulnerabilities. It is uncertain if any third parties, such as potential attackers, also accessed the data besides the researchers.

The data leak can be attributed entirely to Microsoft in this instance, as the vulnerabilities present in Cosmos DB allowed for a practical means of exploiting any user to gain entry to numerous databases and subsequently modify or delete the information stored within them.

April 2021 – Microsoft Data Breach

Over 500 million LinkedIn users’ personal data was put up for sale on a hacker forum in April 2021. According to a LinkedIn spokesperson who spoke to Business Insider, this data was obtained by scraping publicly available information on the platform.

The data contained sensitive details like email addresses and phone numbers, highlighting the importance of not making such information public on user profiles.

January 2021 – Microsoft Data Breach

One of the most extensive security incidents involved Microsoft occurred when hackers exploited four zero-day vulnerabilities, targeting Microsoft Exchange Servers in a widespread hacking attempt.

Although the exact number of affected companies is unknown, it is estimated that more than 30,000 companies in the United States and up to 60,000 companies worldwide were potentially impacted by the issue.

In January 2021, a security specialist detected anomalous activity on a Microsoft Exchange Server operated by a customer. Specifically, the specialist observed that an unusual entity on the server was downloading emails.

Upon further investigation, the specialist uncovered additional unexpected activity such as requests for specific emails and confidential files.

As the specialist delved deeper into the investigation, they discovered additional hacking activity. Soon after, they concluded that four zero-day vulnerabilities had been exploited, enabling unauthorized access to data, deployment of malware, server hijacking, and entry through backdoors to reach other systems.

Although Microsoft moved swiftly to fix the vulnerabilities, the responsibility of securing the systems rested largely on the server owners.

Failure to install the necessary updates meant that the vulnerabilities persisted, providing attackers with the opportunity to exploit them over an extended period.

It’s difficult to determine the overall extent of the damage caused by the attack because the hacks that followed were not carried out by a single group for a common objective. As a consequence, the impact on individual companies differed significantly.

At first, it was uncertain who should be held accountable for the series of attacks. Nevertheless, in July 2021, the Biden administration and certain American allies officially declared their belief that China was responsible.

Hafnium, which is of Chinese origin, was identified as the source of some of the initial attacks. However, given the large number of breaches, it is probable that several groups exploited the vulnerability.

December 2020 – Microsoft Data Breach

Russian hackers took advantage of vulnerabilities in SolarWinds, a software used for monitoring and managing infrastructure, in December 2020.

By accessing the SolarWinds system, they were able to use its software build features to introduce malicious updates to about 18,000 of its customers, using a supply chain attack. This allowed the attackers to infiltrate the customers’ systems, networks, and data.

After gaining access to customer networks, the hackers were able to carry out further attacks by utilizing customer systems. This involved not only the distribution of malware but also the ability to impersonate users and gain access to files.

Microsoft was one of the SolarWinds customers that were targeted, and the compromise of its system led to further hacking activity through its networks, which ultimately resulted in the infiltration of Microsoft’s own customers.

The attack had a widespread impact, affecting various government agencies such as the Department of Defense, Department of Homeland Security, Department of Justice, and Federal Aviation Administration, along with numerous state governments and private companies. The extent of the attack was considerable.

After scrutinizing the actions of the SolarWinds hackers, referred to as “Nobelium” by Microsoft, the company discovered that the attackers had breached more systems.

In June 2021, Microsoft disclosed that it had identified malware on the computer of a customer support agent, which could have been used by the hackers to obtain the basic account details of a restricted number of customers.

December 2019 – Microsoft Data Breach

In January 2020, it was reported that a Microsoft internal customer support database had been misconfigured, resulting in the exposure of records pertaining to 250 million customers.

For approximately one month, from December 5, 2019, to December 31, 2019, the database was not adequately password-protected, thereby allowing access to anyone who could connect to the database using a web browser.

The incident resulted in the exposure of support conversations and records, as well as personally identifiable information such as customer email addresses, geographical data, and IP addresses.

The major concern is that this data could make customers vulnerable to scammers who may find it easier to impersonate Microsoft support personnel.

The database had collected records dating back to 2005 and as recently as December 2019, but it is uncertain whether cybercriminals had accessed the publicly available data.

April 2019 – Microsoft Data Breach

Microsoft disclosed in April 2019 that a group of hackers had obtained the login credentials of a customer support agent, which gave them entry to certain webmail accounts such as @outlook.com, @msn.com, and @hotmail.com between the dates of January 1, 2019, and March 28, 2019.

The acquired credentials enabled the hackers to access a restricted dataset comprising email addresses, subject lines, and folder names.

The exact number of affected accounts is uncertain, although Microsoft referred to it as a “restricted” amount. Furthermore, the technology company claimed that the breach did not compromise the email content and attachments, as well as the login credentials.

November 2016 – Microsoft Data Breach

The news of widespread spam messages originating from Microsoft Skype accounts surfaced in November 2016.

The messages were sent from hacked accounts, which included those of users who had enrolled in Microsoft’s two-factor authentication. The incident affected hundreds of users in total.

Although Microsoft claimed that hackers were using stolen email addresses and passwords from other sources to access accounts and denied any data breach on their side, the fact that the two-factor authentication system failed means that the tech giant bears some responsibility.

The implementation of a sign-in system linking Microsoft and Skype accounts was a major issue, as many users were not aware that their old Skype password remained stored and could be used to access Skype from other devices.

This posed a security risk as if hackers obtained the Skype password, they could bypass two-factor authentication and gain access to the account.

Microsoft has issued instructions on how to merge all of the user’s Microsoft and Skype account data, providing a solution for users. However, users are required to take active steps themselves as Microsoft does not apply this automatically.

May 2016 – Microsoft Data Breach

A data cache containing 272.3 million stolen account credentials was found by security experts in May 2016. Most of the accounts belonged to a Russian email service, but approximately 33 million, which accounts for around 12% of the total, were for Microsoft Hotmail accounts.

This cache was discovered when a Russian hacker discussed the data on an online forum and was selling the complete information for less than $1. It was considered one of the largest caches ever uncovered at the time.

October 2013 – Microsoft Data Breach

It was reported in October 2017 that Microsoft’s internal bug-tracking database, which had been breached in 2013, contained information about vulnerabilities in Microsoft software, including Windows operating systems.

Although the extent of the breach was not fully revealed to the public, former Microsoft employees confirmed the existence of the database and its compromised state.

Attackers could potentially exploit the vulnerabilities and breach systems by utilizing the information obtained from the database, enabling them to target a vast number of computers.

However, it remains uncertain if the information was eventually utilized for such malevolent purposes.

March 2013 – Microsoft Data Breach

In March 2013, the personal information of approximately 3,000 Xbox Live users, such as names, gamer tags, birthdays, and emails, was unintentionally made public after they took part in a survey and entered a contest.

This occurred due to an accidental online publication, and not as a result of a cyberattack. It remains unclear whether this data was subsequently obtained by any potential attackers.

June 2012 – Microsoft Data Breach

A man-in-the-middle attack, which was reported in June 2012, enabled hackers to distribute malware by camouflaging the malicious code as a legitimate Microsoft update.

Flame, the malware, not only had the ability to infect machines but also to propagate itself throughout a network utilizing a deceptive Microsoft certificate.

Before the Microsoft update could reach the server, a machine that was unaffected intercepted the request. Subsequently, Flame provided a malicious executable file with a fake certificate, leading to the download of malware by the uninfected machine.

To create the fake certificate, an exploit was used to manipulate the algorithm used by Microsoft to establish remote desktops on systems, enabling the creation of code that appeared to originate from Microsoft.

In general, Flame was designed to have a narrow focus, which restricted its propagation. As a result, it’s estimated that fewer than 1,000 devices were affected.

Year 2011 To 2013 – Microsoft Data Breach

From 2011 to 2013, Microsoft systems were repeatedly hacked by a group of hackers known as the Xbox Underground. The group not only gained unauthorized access to computer networks, but also used stolen credentials to enter a secured building and obtain development kits.

Furthermore, they infiltrated specific developer systems, including those belonging to Zombie Studios, the company responsible for the Apache helicopter simulator used by the U.S. military.

After being indicted, a number of individuals in the group faced legal charges, including David Pokora who, as the first foreign hacker, received a sentence on U.S. soil and was imprisoned from April 2014 to July 2015.

December 2010 – Microsoft Data Breach

Microsoft made an announcement in December 2010, stating that the cloud-based service called Business Productivity Online Suite (BPOS) unintentionally made its customers’ data available to other software users.

The issue resulted from a configuration error, enabling users to inadvertently download Offline Address Books containing business contacts of other employees.

After the issue was discovered, Microsoft promptly corrected the configuration problem within two hours and stated that only a few customers were affected by the issue.

January 2010 – Microsoft Data Breach

Several prominent U.S. companies, such as Adobe and Google, were breached by hackers in January 2010 after exploiting a zero-day flaw in Internet Explorer.

The security vulnerability enabled the attackers to acquire administrative-level access, providing them with full control over the targeted system. Subsequently, the attackers could manipulate, remove, or peruse data and create fresh user accounts, among other things.

Hackers exploited a vulnerability, specifically linked to Internet Explorer 6, allowing them to download malware onto a Google employee’s computer. As a result, they gained access to sensitive proprietary information and also obtained access to Gmail users.

Months prior to the hacks taking place, Microsoft was already aware of the problem. Despite this, Microsoft did not plan to release a patch until the next scheduled major update for Internet Explorer. However, they had to speed up their plan when attackers exploited the vulnerability.

Kevin James

Kevin James

I'm Kevin James, and I'm passionate about writing on Security and cybersecurity topics. Here, I'd like to share a bit more about myself. I hold a Bachelor of Science in Cybersecurity from Utica College, New York, which has been the foundation of my career in cybersecurity. As a writer, I have the privilege of sharing my insights and knowledge on a wide range of cybersecurity topics. You'll find my articles here at Cybersecurityforme.com, covering the latest trends, threats, and solutions in the field.