Microsoft denied that 30 million Microsoft account information had been compromised

Some time ago, an anonymous group from Sudan initiated DDoS attacks on various Microsoft online services, precipitating intermittent interruptions across multiple Microsoft 365 services.

While there exists no feud between this hacker collective and Microsoft, Anonymous Sudan justifies their assault on a large American tech corporation as a response to US interference in Sudanese politics.

Initially, Microsoft was reticent to admit falling victim to the Anonymous Sudan attack, attributing the issue to infrastructure problems. However, following media coverage, Microsoft ultimately conceded to the assault.

Yesterday, Anonymous Sudan claimed to have infiltrated Microsoft’s internal systems and pilfered the data of 30 million Microsoft accounts, including email addresses and passwords.

Anonymous Sudan proclaimed in their subscription channel that they successfully breached Microsoft and could access a large database containing 30 million Microsoft accounts and related information.

They set the price for this voluminous database at 50,000 dollars. The information principally includes Microsoft accounts, associated email addresses, and plain text passwords.

According to industry norms, when selling a database, it is customary to provide a sample for verification, to preclude instances of fraud involving fabricated or collated data.

Anonymous Sudan did provide samples, but the quantity was a meager 102 entries, all arranged according to email and password format, all in plain text.

In response to rumors of data leakage, Microsoft immediately issued a denial, stating that their system had not been breached, and the data in the samples did not originate from Microsoft.

Microsoft maintains that to date, no customer data has been stolen or leaked, with analysis indicating the hackers’ claims are unfounded, and these accounts are not genuinely valid.

To put it simply, it’s highly probable that the data provided by Anonymous Sudan is falsified, as Microsoft can easily verify account existence by comparing its data.

The provision of plain text passwords is particularly questionable. Even in the event of data leakage from Microsoft, passwords would be hashed and salted, making it improbable for plain text passwords to be stolen directly.

At present, Anonymous Sudan continues launching attacks on various European government websites. The false claim of stealing Microsoft data may be merely a ploy to garner further attention.

Via: bleepingcomputer