Microsoft Cybersecurity Breaches: A Two Year Timeline
Chinese attack on US officials' emails is just the latest in a series of hacks that hit Microsoft over the last two years. l Source: Ben Kriemann/Getty Images
Key Takeaways
- A recent investigation into a Chinese cyberattack highlights concerns about Microsoft’s overall security.
- Over the past two years, Microsoft has experienced several high-profile data breaches.
- These attacks exposed millions of users and organizations.
- The high number of vulnerabilities reported indicates a need for increased focus on security.
The US government’s investigation into a hacking attack by Chinese hackers targeting officials’ emails and the subsequent criticism directed at Microsoft has highlighted the company’s challenges in addressing cybersecurity threats.
Over the past 24 months, Microsoft has faced numerous high-profile data breaches and reported over 1,200 vulnerabilities, impacting millions of users and organizations.
Here are the most significant events from fall 2021 to the present, fall 2023.
Chinese Attack On US Officials Email
A recent report from the Cyber Security Review Board (CSRB) has criticized Microsoft for what it deems “inadequate” security measures, particularly in light of a cyberattack last year that compromised the emails of US officials. The CSRB believes the incident could have been prevented and underscores the importance of robust security protocols and enhanced logging capabilities.
The breach, initially unnoticed by Microsoft, was detected on June 15, 2023, when State Department personnel observed anomalies in their email systems. This detection was made possible by the agency’s investment in a premium license offering advanced logging capabilities.
The CSRB investigation focused on a 2023 incident involving Chinese hackers who accessed the email accounts of key US officials, including Commerce Secretary Gina Raimondo, US Ambassador to China Nicholas Burns, and Assistant Secretary of State for East Asia Daniel Kritenbrink, prior to their trip to China in June 2023.
In total, the hackers targeted 22 organizations and 503 individuals worldwide, compromising Microsoft Exchange Online mailboxes. Among the affected were officials from the Commerce and State Departments, as well as Congressman Don Bacon, a member of the House Taiwan Caucus.
BlueBleed Data Leak And Lapsus$ Group Breach
In October 2022, a misconfiguration in Microsoft‘s Azure Blob Storage service led to the exposure of personal data belonging to over 548,000 users. This data included names, email addresses, and phone numbers. Despite this, Microsoft determined that the exposed data was not sensitive enough to warrant direct notification to affected users.
SOCRadar, an Extended Threat Intelligence (XTI) services provider, initially discovered the misconfigured storage bucket on September 24, 2022. Following the discovery, SOCRadar promptly alerted Microsoft. Microsoft later confirmed that the exposed data encompassed various details such as names, email addresses, email content, company names, and phone numbers, along with potentially attached files related to business transactions between customers and Microsoft or its authorized partners.
While Microsoft did not specify the exact number of data records exposed, SOCRadar’s assessment revealed that the exposed server contained 2.4 terabytes of data from 65,000 companies across 111 countries. This included 335,000 emails, 133,000 projects, and personal information from 548,000 users.
In March 2022, the Lapsus$ hacking group, known for targeting major technology companies, successfully breached Microsoft’s internal systems. The group claimed to have obtained source code for various Microsoft products, including Bing, Cortana, and Exchange Server. However, Microsoft assured that the breach did not compromise customer data.
Power Apps Misconfiguration And Azure-LinkedIn Data Issue
In August 2021, a misconfiguration in Microsoft‘s Power Apps platform exposed personal data belonging to over 38 million users, including names, email addresses, and phone numbers. Microsoft attributed the misconfiguration to a third-party partner.
Similarly, in August 2021, thousands of customer accounts and databases were exposed due to a misconfiguration in Microsoft Azure. This breach also compromised names, email addresses, and passwords. Again, Microsoft attributed the misconfiguration to a third-party partner.
In April 2021, a significant data breach occurred on LinkedIn, affecting over 500 million users. The exposed data included names, email addresses, phone numbers, and passwords.
This breach was due to a vulnerability in LinkedIn’s platform. However, it’s worth noting that Microsoft acquired LinkedIn in 2016.
Over 1,200 Microsoft Vulnerabilities
Over the past 24 months, the Common Vulnerabilities and Exposures (CVE) database has recorded more than 1,292 vulnerabilities associated with various Microsoft products. These included Microsoft Windows, Microsoft Office, Microsoft Edge, and others.
Among these vulnerabilities, one particularly notable issue arose in 2022 involving Microsoft Office Message Encryption (OME). The vulnerability stemmed from Microsoft OME’s use of a block cipher mode known as Electronic Code Book (ECB).
Although Microsoft acknowledged the report and compensated WithSecure through a bug bounty program, the company opted not to prioritize a fix. A Microsoft spokesperson explained that the rights management feature prevented accidental misuse rather than acting as a security boundary.
Subsequently, Microsoft deprecated OME and introduced Purview Message Encryption as a replacement, which is available to users under specific Microsoft subscription plans.
Microsoft’s Security Breakdown: Chinese Hacking Group Breaches Defenses
Microsoft Quietly Retracts Copilot Feature from Windows Server 2025