Over 21 Million User Records from Microsoft for Sale on Cybercrime Forum

A post on a cybercrime forum, advertising 21 million user records of Microsoft coincides with the corporate giant's latest advisory on a Cosmos DB vulnerability.
Updated on
April 19, 2023
Published on
September 1, 2021
Subscribe to the latest industry news, threats and resources.
Category Adversary Intelligence
Affected Industries IT and Security
Affected Region Global
Source* F5
Reference *https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability #https://en.wikipedia.org/wiki/Traffic_Light_Protocol

Executive Summary

        • CloudSEK’s Threat Intelligence Research team discovered a post on a cybercrime forum, advertising 21 million user records of Microsoft.
        • Our researchers suspect that Microsoft’s latest advisory is possibly related to this incident, which warns its users about a newly discovered vulnerability present on their Cosmos DB.
        • CloudSEK’s Threat Intelligence Research team is validating the authenticity of this post.
      [caption id="attachment_17846" align="aligncenter" width="549"]Threat actor’s post on the cybercrime forum Threat actor’s post on the cybercrime forum[/caption]  

      Analysis and Attribution

      On 20 August 2021, a threat actor published a post on a cybercrime forum claiming to have cracked 21 million Microsoft user accounts. Although the actor has not shared samples to substantiate their claim, they have described the process by which the data was obtained.   
      The Process
        • The actor mentions that during a system upgrade Microsoft saved their data in a temporary cloud storage.
        • Further, the actor claims to have gained access to this ‘temporary’ cloud database, through which they received the Hexadecimal form of a cookie, and cracked it using a public legal service.
        • After completing these two steps, the actor gained access to the machine’s information as well as to the files and documents in it.
        • Besides this, the actor also claims to have access to the browsing database along with the following data fields:
          • Website
          • Username
          • Password
      Information from Comments
      In the comments posted on this thread, another threat actor shared a sample of the above-mentioned database, which they received from the original actor from their Telegram chat. Based on the samples, the data provided is as follows:
          • Host name
          • Creation date, last access date, and expiry date.
          • Path
      Possible Connections
      This post was published subsequent to an advisory from Microsoft that requested customers to patch their computers due to a vulnerability discovered in their cloud services. However, since the actor has not provided samples or mentioned the specific vulnerability or technology used, our researchers believe, with low confidence, that the two events can only be linked.  

      Impact & Mitigation

      Impact Mitigation
      • The above post contains users’ PII information which can potentially be used by threat actors to conduct various attacks such as:
        • Social engineering attacks
        • Phishing attacks
        • Identity theft
      • Target Cosmos DB account information gathering.
      • Retrieval of the credential key leads to account take over.
      • Loss of data integrity by unauthorized modification and compromise of data confidentiality and exfiltration.



Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations