Microsoft and identity authentication firm Okta are investigating possible attacks that may have been carried out by the South American hacking group Lapsus$. The group claims to have stolen the source code for Bing, Cortana, and internal Microsoft projects from the server.
$Lapsus released a torrent file on Monday that was said to contain 37GB of source code for about 250 projects, according to BleepingComputer. The group claims that the data includes 90 percent of Bing source code and 45 percent of Cortana and Bing Maps code. Other affected projects appear to include websites, mobile apps, and web-based infrastructure.
The leaks reportedly contain emails
Internal email and documentation related to published mobile applications. Torrents are not believed to include icon for desktop programs such as Windows or Microsoft Office.
“We are aware of the allegations and are investigating,” a Microsoft spokesperson told Engadget.
The same group has also targeted Okta, although the company says it has not yet found evidence of a new breach following an incident in January.
An Okta spokesperson told Engadget: “In late January 2022, Okta discovered an attempt to hack into the account of a third-party customer support engineer working for one of our subprocessors.
The matter has been investigated and contained by the sub-processor. We believe the screenshots shared online are related to the January event. Based on our investigation to date, there is no evidence of ongoing malicious activity other than the activity detected in January.”
$Lapsus has posted screenshots of what it claims are Okta’s internal systems. As the Wall Street Journal reported, the hackers claimed they were unable to access or obtain the data from Okta itself and focused on the company’s customers, including Cloudflare, Grubhub, Peloton, Sonos, T-Mobile and Engadget parent Yahoo.
The hacking group has attacked other high-profile targets in recent weeks, including NVIDIA, Samsung and Ubisoft. NVIDIA confirmed that hackers obtained the company’s data in February, while Lapsus claimed to have leaked 190GB of Samsung data.