
Microsoft's GitHub account allegedly hacked, 500GB stolen - badRNG
https://www.bleepingcomputer.com/news/security/microsofts-github-account-allegedly-hacked-500gb-stolen/
======
jug
Sounds sketchy given what the employee from Microsoft commented. The article
is also not completely up to date with their “interesting” findings. For
example, while a language projection for the Windows Runtime to Rust is
interesting, it is also a public repository:
[https://github.com/microsoft/winrt-rs](https://github.com/microsoft/winrt-rs)
I’d take this article with a grain of salt until we hear more.

~~~
giancarlostoro
I am pretty sure anything from Microsoft on GitHub is intended to be open
source eventually. Theres no reason they dont have proprietary projects in
their own internal version control systems.

~~~
DiabloD3
Microsoft had multiple Github Enterprise accounts before the acquisition,
owned by multiple teams independently inside of Microsoft. They chose to use
these instead of Microsoft's own internal repository (some VSS-based thing I
think), which management ordered them to use.

More internal Microsoft code was being hosted by Github instead by Microsoft.

However, the Microsoft account on Github seems to only be public repositories,
or repositories being prepped to be public. Actual internal stuff is hosted by
one or more Github Enterprise accounts, the alleged hack does not claim they
were hacked as well.

~~~
ShakataGaNai
Ah source code at MS. Always amusing to me. VSS [1] (Visual Source Safe) was
terrible and I always wondered how "real" companies could use it. From what I
heard, MS never did use it, they bought it and sold licenses. That's it.

That being said, Microsoft actually moved Windows to Git [2] years and years
ago. Presumably they did the same with everything else. Team Foundation Server
(TFS) supports Git, so they probably have the critical stuff on that TFS
still, rather than GitHub. Especially since those repo's are huge.

[1]
[https://en.wikipedia.org/wiki/Microsoft_Visual_SourceSafe](https://en.wikipedia.org/wiki/Microsoft_Visual_SourceSafe)
[2] [https://arstechnica.com/information-
technology/2017/02/micro...](https://arstechnica.com/information-
technology/2017/02/microsoft-hosts-the-windows-source-in-a-monstrous-300gb-
git-repository/)

~~~
DiabloD3
They moved to Git, from what I can tell as an outsider, as part of the "Balmer
fucked Microsoft" clean up duty that produced a toxic and soon-to-be-fatal
culture over there.

Github ended up being the final piece they needed after years of effort. Most
of what I said in the earlier comment was what I pieced together from multiple
(ex-)Microsoft people who chose to talk about it, over years.

TFS afiact started as just a repo manager (in the sense, does what Github
does) for VSS and Perforce, with more modern support for other things,
including Microsoft's gargantuan Git monorepo... but a lot of people at
Microsoft still like Github Enterprise better.

I imagine given this, whatever TFS does better, Github Enterprise will learn
to do over the next few years. Microsoft is big on eating their own dogfood
now, but they don't seem to want to do Google sillyness where they have 20
products that do the same thing and let them fight it out in FFA arena combat
(even Lync is still Lync underneath, it just keeps getting new frontends).

~~~
aksss
> Lync is still Lync

mmm.. I know what you're saying but the change to Teams from a VOIP
perspective substantially changed some of the under-the-hood stuff. They stood
up a facade to offer luke-warm integration from SfB/Lync IP phones
(authentication and basic calling, but that's about it). AFAIK this wasn't
just a breaking change but a re-arch of some of the backend. Point being, they
may be evolutions but the move to Teams is not just a new front-end.
Substantial evolution has happened since we first installed server stacks to
support Lync, even though we still see Lync fingerprints and junk dna
everywhere.

------
searchableguy
> In a directory listing and samples of other private repositories sent to
> BleepingComputer, the stolen data appears to be mostly code samples, test
> projects, an eBook, and other generic items.

Other than private keys or sensitive info being left behind, doesn't appear to
be severe. Looks nothing burger given the data until more is released.

> Microsoft employee Sam Smith replied to Under the Breach's tweet stating
> that he thought the leak was fake as "Msft has a “rule” that GitHub repos
> must be public within 30 days."

Curious, what does microsoft use internally? Instance of github enterprise?
Azure devops?

~~~
ytch
> Curious, what does microsoft use internally? Instance of github enterprise?
> Azure devops?

I guess they have internal Git servers, since they develop VFS for Git[1] to
handle large amount of files in git, but IIRC github isn't support it yet

[1][https://vfsforgit.org/](https://vfsforgit.org/)

~~~
bgdnyxbjx
Yes. Most teams are using git repos in Azure DevOps. Anything in GitHub is
supposed to be made public pretty quickly.

------
afrcnc
I looked at this yesterday. 90% of it is garbage files from a Chinese
developer, or projects that have been open-sourced for 3-4 years.

That's not how "leaks" and "hacked" works the last time I checked.

------
rvz
> This evening, a hacker going by the name Shiny Hunters contacted
> BleepingComputer to tell us they had hacked into the Microsoft GitHub
> account, gaining full access to the software giant's 'Private' repositories.

Well, someone asked the other day whether or not private repositories on
GitHub were safe: [0] I think you now have a concrete answer regardless if
this is true or not. I have already made the case to privately self-host,
especially if you're a large enterprise, but preferably on-site [1][2] to
avoid these types of attacks and in the process to reduce costs like this as
many were discussing in other HN discussion [3], but here we are.

If they can do it to Microsoft, they can do it to anyone else who has a GitHub
account.

[0]
[https://news.ycombinator.com/item?id=23057769](https://news.ycombinator.com/item?id=23057769)

[1]
[https://news.ycombinator.com/item?id=22960579](https://news.ycombinator.com/item?id=22960579)

[2]
[https://news.ycombinator.com/item?id=22868406](https://news.ycombinator.com/item?id=22868406)

[3]
[https://news.ycombinator.com/item?id=23089999](https://news.ycombinator.com/item?id=23089999)

~~~
bithaze
Isn't the upside of hosted platforms like this that they have teams of people
securing and monitoring the platform, which can be a bit much for one person
who's self-hosting? I do self-host other things but the article doesn't say
anything about how the breach might've occurred (e.g. 2FA not enabled?).

~~~
_jal
The counterargument is that a SAAS platform like Github's interests are in the
ongoing viability of the service, while my interests are only about in my data
in the service.

Those are only somewhat aligned, as anyone with a dispute about terms of
service can tell you.

> which can be a bit much for one person who's self-hosting

If your repo serves one person, why do you need your repo to be hosted in
public at all? `git init` and a backup are all you need.

~~~
flak48
Many consider hosting the repo (privately) on Github etc to be the backup.

------
FanaHOVA
So many people were paranoid about Microsoft reading their private source code
post-acquisition; turns out it was the other way :)

------
dependenttypes
I think that "leaked" would be a better choice compared to "stolen". You can't
"steal" source code, unless if somehow you remove the original (such as if the
source code is stored on paper in a safe somewhere and there are no copies and
someone goes and steals it).

~~~
naringas
or if during the hack, the code was deleted after copying

regardless, I agree.

------
6c696e7578
So a closed source software company buys an open source tool company, and
inadvertently make closed source open source!

Or, in other words, if you want to keep something private, don't put it in the
"cloud"!

~~~
capableweb
Me and a friend were having coffee and were discussing secrets something like
10 years ago. The conclusion of our conversation was "Everything always comes
out" (translated from Swedish [context was some gossip that eventually leaked
about our common friend]) which boils down to that the only way you can really
ensure something stays secret forever, is by only having it in your mind and
not sharing it. As soon as you share it _anywhere_, there is a risk of it
leaking somewhere.

The lesson I carry is that the more secret it something is, the closer to my
brain it is. Top-secret = only in my head, little bit secret = encrypted on my
harddrive, little less secret = encrypted in the cloud, not secret at all =
just dumped in a Google Drive account

~~~
6c696e7578
Mentally, tell your self there are some very personal photos in the data.

Then most people think more carefully about where they store it :)

------
tomxor
> Overall, from what was shared, there does not appear to be anything
> significant for Microsoft to worry about, such as Windows or Office source
> code.

> In a directory listing and samples of other private repositories sent to
> BleepingComputer, the stolen data appears to be mostly code samples, test
> projects, an eBook, and other generic items.

------
factorialboy
From the article:

> Microsoft employee Sam Smith replied to Under the Breach’s tweet stating
> that he thought the leak was fake as “Msft has a “rule” that GitHub repos
> must be public within 30 days.”

Does that mean MS bans the use of GitHub for permanently storing private
repos?

~~~
orta
We (the TypeScript team) have a bunch of private repos (blog post drafts,
planning docs, reproduction repos, rando internal tooling ) on GitHub that are
many years old. I'm pretty sure that Sam was mistaken here.

~~~
wwwigham
To be fair, we had to file for exceptions to the 30 day policy for a lot
those. Not that any of them are terribly important to be private; a private
GitHub repo is just a convenient discussion form for collaboratively composing
blog posts and such (change tracking and reviews are so nice). The blog post
one, in particular, probably gets a pass because everything composed on it is
eventually published in the open anyway (albeit without the discussion and
editorial history).

------
peterwwillis
Gentle reminder that any private repository is sensitive, because the people
pushing to them might not be as careful with what they push, because it's
private.

There are hundreds of different kinds of credentials that can be hidden all
throughout the history of a Git repo (in code, in logs, in comments, binary
blobs, etc). If you don't have a very robust credential scanner operating
continuously, and you have a large organization, you probably have active
credentials hidden in your private repos.

~~~
ChrisSD
Considering these repos are meant to be made public within 30 days, I'd hope
Microsoft employees would be more careful when pushing. Leaving it to a last
minute cleanup sounds like a recipe for disaster.

------
rafaelreinert
The most impressive thing is that Microsoft has more than 3k projects (with
forks) on GitHub as public repo

------
westoque
Not sure if anyone knows but if you use AWS, you can actually create your own
repository there for your organization. it doesn’t have the GitHub UI or
features like issues, but should going in the right direction where your
organization owns your private repos.

~~~
colonwqbang
Having your repo in Amazon's cloud instead of Microsoft's cloud doesn't mean
that you "own" it to a greater degree, does it? It's just a different company
holding the keys for you.

~~~
westoque
True. It's just a lot safer because of how AWS has their
permissions/access/ACL setup. Not to mention the attack surface is less since
you don't expose your repo organization name, repo users, etc like they have
it out in open in GitHub.

~~~
MagnificRogue
How's this different from doing the same thing in Azure?

------
babycake
So is there a list somewhere to see if we were affected?

~~~
me_again
You're not affected. Even if real this is not a breach of user data.

------
kats
GitHub reliability is not high enough to support the way people are using it.
The administration of the site is not predictable enough, the site has
frequent downtime, and there are security issues.

------
scared2
500gb is too big, any information about the content?

------
angel_j
Plot twist, all the data was open source

------
eugenekolo
Awfully boring things to breach. Not very exciting except for the fact that
some employee probably installed nudez.exe.

------
wp381640
I feel vindicated for my own insistence that private repos also get scanned
and purged of secrets

------
anticensor
TL;DR: Microsoft failed to protect its own secrets

------
somurzakov
if it is in the cloud, it will be eventually hacked

~~~
jaywalk
Why?

~~~
somurzakov
because cloud security (and cloud configuration in general) is hard. people
check in sensitive stuff to github repos all the time, misconfigure IAM
policies just so that it works (capitalone).

It is a new and ever changing field, there are many cloud vendors and their
product line and configurations change all the time - meaning it will take a
lot of time until majority of IT specialists become familiar with configuring
secure cloud and majority of users of those cloud services will not make
security mistakes.

~~~
smolder
That only covers some cases, not the absolute of everything in the cloud
eventually being hacked. Plenty of people are competent at secure cloud based
systems. Your claim and your support don't match. I expected this to go more
in the direction of: cloud providers are such big juicy targets they'll just
be infiltrated by advanced persistent threats who in turn gain illicit access
to everything hosted.

------
antidaily
WE JUST WANT SUNRISE BACK

------
benatkin
Microsoft stands to benefit from getting their private code exposed, because
they can use it to claim that open source competitors are ripping it off.
[https://en.wikipedia.org/wiki/ReactOS#Internal_audit](https://en.wikipedia.org/wiki/ReactOS#Internal_audit)
[https://www.theregister.co.uk/2019/07/03/reactos_windows_res...](https://www.theregister.co.uk/2019/07/03/reactos_windows_research_kernel_claim/)

~~~
austincheney
That sounds like a fairly weak argument, because IP protections still apply to
open source, except for trade secrets. The degree of protection is dictated by
a project's license, or if in the absence of a license then a nation's default
copyright status.

In your first ReactOS example from 2006 it wasn't even Microsoft that
discovered or claimed the problematic code violation. It doesn't look like
Microsoft was involved at all.

