Sensitive login data related to Microsoft’s Azure services got leaked on GitHub. Cybersecurity research firm SpiderSilk discovered the available credentials on GitHub which are from accounts belonging to Microsoft employees.
But the credential leak seems to be unintentional, Microsoft shared that they haven’t been used to access sensitive data present on the Azure servers. Microsoft acquired GitHub a while back and such password leaks on the very platform that it owns are surprising.
How did the Microsoft passwords leak on GitHub?
Motherboard got in touch with SilkSpider who discovered the exposed login credentials on GitHub. They explained that seven login credentials were out in the open and could be used by an attacker. The password exposure was unintentional but if some got them, it could manifest into a full-blown system penetration attack.
SilkSpider’s CSO Mossab Hussein shared that three out of seven login credentials were working when they discovered them. The other four didn’t work at that time but could have been used by someone in the past to infiltrate the Azure servers.
He added that accidental source code sharing and credential uploads are becoming extremely common. They create an entry point for attackers to gain access to servers that are otherwise difficult to break into.
Microsoft didn’t share details with Motherboard about the credential leak. The spokesperson informed that there was no evidence that sensitive data was accessed or the credentials were used improperly. Moreover, they were actively investigating the issue and will work to cub the inadvertent sharing of credentials.
Recently, Slack also shared news about a bug that could have exposed the login credential of a user to everyone in a channel. It advised all the affected users to change their passwords via email. Such incidents are increasingly common where even a minor security flaw can lure in attackers which ends up compromising sensitive user data.