Over 21 Million User Records from Microsoft for Sale on Cybercrime Forum


A post on a cybercrime forum, advertising 21 million user records of Microsoft coincides with the corporate giant’s latest advisory on a Cosmos DB vulnerability.

Category Adversary Intelligence
Affected Industries IT and Security
Affected Region Global
Source * F5
Reference *Intelligence source and information reliability - Wikipedia # Traffic Light Protocol - Wikipedia

Executive Summary

        • CloudSEK’s Threat Intelligence Research team discovered a post on a cybercrime forum, advertising 21 million user records of Microsoft.
        • Our researchers suspect that Microsoft’s latest advisory is possibly related to this incident, which warns its users about a newly discovered vulnerability present on their Cosmos DB.
        • CloudSEK’s Threat Intelligence Research team is validating the authenticity of this post.

Threat actor’s post on the cybercrime forum

Threat actor’s post on the cybercrime forum

Analysis and Attribution

On 20 August 2021, a threat actor published a post on a cybercrime forum claiming to have cracked 21 million Microsoft user accounts. Although the actor has not shared samples to substantiate their claim, they have described the process by which the data was obtained.

The Process
* * The actor mentions that during a system upgrade Microsoft saved their data in a temporary cloud storage.
  * Further, the actor claims to have gained access to this ‘temporary’ cloud database, through which they received the Hexadecimal form of a cookie, and cracked it using a public legal service.
  * After completing these two steps, the actor gained access to the machine’s information as well as to the files and documents in it.
  * Besides this, the actor also claims to have access to the browsing database along with the following data fields:
* * * Website
    * Username
    * Password
Information from Comments

In the comments posted on this thread, another threat actor shared a sample of the above-mentioned database, which they received from the original actor from their Telegram chat. Based on the samples, the data provided is as follows:
* * * Host name
* Creation date, last access date, and expiry date.
* Path

Possible Connections

This post was published subsequent to an advisory from Microsoft that requested customers to patch their computers due to a vulnerability discovered in their cloud services. However, since the actor has not provided samples or mentioned the specific vulnerability or technology used, our researchers believe, with low confidence, that the two events can only be linked.

Impact & Mitigation



1 Like