Names, emails, and other data seems to be sold online by a pseudo-Russian hacker
Image source – pixabay.com
Update 29.10.2021:
As for today, we didn’t receive any official information from Microsoft. We decided to investigate the statements about the public character of the information for sale with available methods.
We see the same contradictions in the number of employees registered on LinkedIn and official Microsoft data about the staff. It is still almost 20k people are missing from the scope of LinkedIn.
They are most likely to be shared only during private meetings or business events through visit cards or by mutually initiating email communication.
We also did receive a few answers to our questions from the seller.
We did ask him the following:
It is good for Microsoft to know that the seller doesn't have any idea of the use of identifiers for the time being.
Alt: "Screenshot of contacting seller"
On the other hand, it seems to be a pure insider leak, which means more valuable data can leak or already potentially leaked from the company and wait for its time to appear online.
Update 27.10.2021:
After initial contact with Microsoft Support, they directed us to another department dealing with privacy and support issues.
We contacted provided department immediately but still didn't receive any official statements from it.
Meanwhile, we received the information provided to us on background:
We are already aware of this online post and through our investigation we’ve determined that some of the data is not credible. Most of the data contains information that could be found publicly.
While it remains unclear which data is not credible, since provided sample data was thoroughly checked and valid, we can only assume that it will be impossible to collect all this data by crawling Internet webpages.
We have contacted the seller and received additional information about his lot, price proposal as well a file sample with another 1000 records. The source of data for sale remains uncovered.
Looking closely at the provided data, we can identify interesting persons and especially their positions and attribution within the company.
There are at least 68 entries directly related to security positions, and a few of them very high ones as follows:
According to seller messages, the price depends on one of the options to choose from.
Even though the price seems to be not that high, as we expected to see, provided data is relevant and consolidated within one file.
It can be used for many potential attack scenarios, including but not limited to:
An anonymous person published a message on the sale of 230 thousand data lines from Microsoft employees on one of the popular Russian-language forums.
We have translated original forum thread with Google Translate here:
There are four interesting attributes here, which give us a first picture of the actor:
1. The title seems to be translated somewhere, which seems to be a trend around non-Russian-peaking actors looking for new markets.
I honestly tried to get a pattern of the language to match in on Google Translate, but Google didn't act expectedly with words – so it could be any non-English text translated into Russian.
2. The same applies to information about leaks provided in the body of the forum message. But here we can clearly understand what we can expect to receive:
The whole text of the message is translated here:
" Identifier "," External identifier "," Name "," E-mail address "," Position "," Subordination level "," Department "
If anyone is interested, you can also write to me, let's discuss.
Serious Buyers Only
3. The seller did not name a specific price for his catch, only indicating that he would discuss the price with a potential buyer in a personal conversation.
Since this is against the forum rules, the seller received a ban warning to post any sales without the price.
4. It looks like the actor was already familiar with the forum and even got some 50 publications threshold since the registration on Feb 19, 2021.
The sale was supposed to be more successful than it is
After publication on October 16, the seller has provided the update to the forum thread with a screenshot sample to prove his words. He updated the thread last time with another post on October 19, about the sell is still waiting for a buyer.
We checked some names for authenticity through LinkedIn; also, some emails from the sample were valid.
We decided to analyze the number of full-time employees of Microsoft Corporation to verify or doubt the authenticity of the data published by the actor.
Image source – statista.com
Microsoft Corporation is a major international technology company, with around 103,000 full-time employees in the United States in fiscal year 2021. Another 78,000 of Microsoft's full-time employees are located outside the company's home market bringing the total number of full-time employees worldwide to around 181,000.
The hacker also did not indicate to what period the compromised information belongs, so it may well be that employees of different years are stored in the leaked database. Some of them may have changed their line of business and no longer have a relationship with Microsoft.
The hacker provided information about 230,000 Microsoft employees, which does not fit into the official statistics for 2021, but still could be valid if all previously employed personnel were to count.
Even though the data sample presented reveals not that much data; still, some internal identificators and official email addresses aggregated in one document can be used to support planned social engineering campaigns.
We are looking for official comments from Microsoft and will update the publication accordingly.
Disclaimer: The main goal of our team is to protect user data and respond on time to possible threats to prevent negative consequences. We do not in any way imply any wrongdoing on the part of Microsoft Corporation or its partners or affiliates. We are only focusing the readers' attention on our findings to increase the awareness and safety of users on the Internet.
Cooltechzone leaks team
Leave a comment