A hacker claims to have stolen more than 500GB of data from a private warehouse stored on Microsoft’s GitHub account. Microsoft, which owns GitHub, has yet to comment publicly on the vulnerability, which does not appear to affect any of the company’s major software products.
The hacker, known as “Shiny Hunters,” revealed the theft through the contact news site Bleeping Computer. The perpetrator claimed to have more than 500GB of files downloaded from Microsoft’s private GitHub warehouse and said he intended to sell the source code online. Instead, they now plan to release it for free.
ShinyHunter provides a list of directories that contain the name, size, and timestamp of each stolen file. None of these resource libraries seem to involve Microsoft’s major products, such as Windows, Office and Xbox. Instead, they are mostly code samples, test projects, e-books, and other generic projects.
In fact, the veracity of the entire vulnerability has been disputed. Microsoft employee Sam Smith said on Twitter that the company only uses GitHub for projects that eventually become open source and open. He initially wrote that Microsoft’s rules required all GitHub warehouses to be made public within 30 days of their creation, but the tweet was later deleted.
Whether true or false, the prevailing consensus is that the breach has no impact on Microsoft. If true, the most pressing concern will be how hackers gained access in the first place. Other security researchers have noted that GitHub warehouses often contain private API keys and passwords that developers have mistakenly added, which, if found and used, could further expose Microsoft’s information.