Microsoft is one of the world's largest technology companies, entrusted with vast amounts of data for millions of users and organizations around the world. As such, it is a frequent target of cyberattacks. Microsoft's tools are immensely valuable to millions of global users, who use its software to create and share their corporate and personal information. When these users leverage Microsoft tools like Outlook, OneDrive, and the 365 Office suite, they are often putting sensitive data into Microsoft's hands — so the downstream impacts of a Microsoft data breach, on organizations and individuals, can be enormous.
In the past 24 months, there have been several high-profile Microsoft data breaches and over 1,200 vulnerabilities reported, affecting millions of users and organizations. Here are the most notable events from fall 2021 through the time of writing, fall 2023.
In July 2023, Microsoft disclosed that a China-based adversary gained access to the email systems of several U.S. government agencies and think tanks. The breach affected approximately 10,000 organizations.
Virtru penned two blog posts with more context on the breach: One detailing the events that led to the discovery of the Microsoft Cloud hack, and one on the later revelations about the Microsoft encryption key management issues that amplified the attack’s impact. The hackers are believed to have used a vulnerability in Microsoft's cloud computing platform, Azure, to gain access to the systems. Furthermore, research from Wiz highlighted that the stolen MSA key could have allowed hackers to create access tokens for several Azure Active Directory applications.
This was, of course, highly concerning — especially as the impacted customers were largely government organizations. Virtru's Rob McDonald, NYU Adjunct Professor Michael Wilkes, and Chertoff Group's David London sat down to hash out the details of the Microsoft breach in this video.
In October 2022, a misconfiguration in Microsoft's Azure Blob Storage service exposed the personal data of over 548,000 users. The exposed data included names, email addresses, and phone numbers. Microsoft said that the data was not sensitive enough to warrant a notification to affected users.
In March 2022, the Lapsus$ group, a hacking group known for targeting major technology companies, breached Microsoft's internal systems. The group claimed to have stolen source code for several Microsoft products, including Bing, Cortana, and Exchange Server. Microsoft said that the breach did not affect customer data.
In August 2021, a misconfiguration in Microsoft's Power Apps platform exposed the personal data of over 38 million users. The exposed data included names, email addresses, and phone numbers. Microsoft said that the misconfiguration was caused by a third-party partner.
In August 2021, thousands of customer accounts and databases were exposed due to a Microsoft Azure misconfiguration. The exposed data included names, email addresses, and passwords. Microsoft said that the misconfiguration was caused by a third-party partner.
In April 2021, a massive LinkedIn data breach exposed the personal data of over 500 million LinkedIn users. The exposed data included names, email addresses, phone numbers, and passwords. The breach was caused by a vulnerability in LinkedIn's platform. (LinkedIn was acquired by Microsoft in 2016.)
According to the Common Vulnerabilities and Exposures (CVE) database, there have been over 1,292 Microsoft vulnerabilities reported in the past 24 months. This number includes vulnerabilities in Microsoft Windows, Microsoft Office, Microsoft Edge, and other Microsoft products.
One of the vulnerabilities that was most concerning was the Microsoft Office Message Encryption (OME) vulnerability that surfaced in 2022. The vulnerability itself was due to Microsoft OME utilizing a block cipher mode of operation called Electronic Code Book (ECB). Microsoft acknowledged the report and paid WithSecure a bug bounty. However, the vulnerability was not deemed enough of a priority to pursue a fix for. In an email to The Register at the time, a Microsoft spokesperson said, “The rights management feature is intended as a tool to prevent accidental misuse and is not a security boundary.” Since then, Microsoft has deprecated OME in favor of Purview Message Encryption, available for users of certain Microsoft subscription plans.
There are many benefits of leveraging Microsoft's software, but that doesn't mean you can't take precautions to protect your data on a more granular level that puts true power in your hands.
These breaches and vulnerabilities highlight the importance of layered protections: If you’re using Microsoft’s productivity software, of course you’ll want to make sure you’re regularly scanning systems for vulnerabilities, installing patches, and updating software. But beyond this, it’s important to consider the following questions:
If you are looking for a solution that adds layers of security to your Microsoft environment, Virtru can help. Virtru’s data-centric security for Microsoft includes:
Ready to shift some of your risk away from Microsoft and take control of your own data destiny? Contact Virtru for a demo. We’d love to show you what our products can do to secure your business and protect your data.
The editorial team consists of Virtru brand experts, content editors, and vetted field authorities. We ensure quality, accuracy, and integrity through robust editorial oversight, review, and optimization of content from trusted sources, including use of generative AI tools.View more posts by Editorial Team
Contact us to learn more about our partnership opportunities.