Recently, a hacker claimed to have stolen more than 500GB of data from Microsoft’s private GitHub repositories. Microsoft, which owns GitHub, has not yet commented publicly on the vulnerability, which does not seem to affect any major software products of the company.
The hacker named “Shiny Hunters” disclosed the theft by contacting the news site BleepingComputer. The perpetrator claimed that he owned more than 500GB of files downloaded from Microsoft ‘s private GitHub repository, and stated that he originally intended to sell the source code online. Instead, they now plan to release it for free.
After some research and because the actor dumped the entire dirlist of the private repositories, it appears this is real.
I doubt there is anything too private in these repositories but companies do sometime leave keys/passwords on Github by mistake. pic.twitter.com/4L8s18hQA0
— Under the Breach 🦠 (@underthebreach) May 6, 2020
Shiny Hunter provides a directory listing, which contains the name, size, and timestamp of each stolen file. None of these resource libraries seem to involve Microsoft ’s main products, such as Windows, Office, and Xbox. Instead, they are mostly code samples, test projects, e-books, and other general-purpose projects.