Security News > 2022 > March > Microsoft investigating claims of hacked source code repositories
Microsoft says they are investigating claims that the Lapsus$ data extortion hacking group breached their internal Azure DevOps source code repositories and stolen data.
Early Sunday morning, the Lapsus$ gang indicated that they hacked Microsoft's Azure DevOps server by posting a screenshot on Telegram of alleged internal source code repositories.
While the leaking of source code makes it easier to find vulnerabilities in a company's software, Microsoft has previously stated that leaked source code does not create an elevation of risk.
"At Microsoft, we have an inner source approach - the use of open source software development best practices and an open source-like culture - to making source code viewable within Microsoft. This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code," explained Microsoft in a blog post about the SolarWinds attackers gaining access to their source code.
Source code repositories also commonly contain access tokens, credentials, API keys, and even code signing certificates.
Microsoft has previously said that they have a development policy that prohibits "Secrets," such as API keys, credentials, or access tokens, from including their source code repositories.