500GB of data allegedly stolen from Microsoft’s private GitHub

James Walker

A hacker has claimed to have stolen over 500GB of data from private repositories stored on Microsoft’s GitHub account. Microsoft, which owns GitHub, hasn’t publicly commented on the breach, which does not appear to impact any of the company’s major software products.

The hacker, using the name “Shiny Hunters,” disclosed the theft by contacting news site BleepingComputer. Claiming to possess over 500GB of files downloaded from Microsoft’s private GitHub repositories, the actor said they had intended to sell the source code online. Instead, they’re now planning to release it for free.

Shiny Hunter provided a directory listing containing the names, sizes and timestamps of each of the stolen files. None of the repositories appear to concern Microsoft’s primary products, such as Windows, Office and Xbox. Instead, they’re mostly “code samples, test projects, an eBook, and other generic items.”

Indeed, the authenticity of the entire breach has been disputed. Microsoft employee Sam Smith said on Twitter that the company only uses GitHub for projects which will eventually become open-source and publicly available. He initially wrote that Microsoft rules require all GitHub repositories to be made public within 30 days of creation, although the tweet has since been deleted.

Real or not, the general consensus is that the breach hasn’t exposed anything of significance to Microsoft. If genuine, the most pressing concern will be how the hacker obtained access in the first place. Other security researchers have noted that Git repositories often contain private API keys and passwords which are mistakenly added by developers, which could expose further Microsoft information if found and used.