Microsoft has informed the US Department of Veteran Affairs (VA), the US Agency for Global Media (USAGM), and the Peace Corps that a cybersecurity breach it suffered back in November 2023 also affected the respective agencies. In the case of USAGM, attackers might even have stolen some data, although security data and personally identifiable information (PII) were reportedly not taken.
Russian state-sponsored hacking group Midnight Blizzard breached Microsoft in late November 2024 and managed to steal sensitive information from the email accounts of certain high-value individuals, including senior executives. While Microsoft didn’t clarify how many or what emails were accessed, it did state that the compromised accounts included members of the company’s senior leadership and those in the cybersecurity and legal departments.
The attack was caught on January 12, and further investigation revealed a password-spraying attack to compromise a legacy non-production test tenant account.
The hacking group used this account to access a small percentage of Microsoft corporate accounts. Microsoft changed its approach to security in the future, even adding that it might cause some disruptions.
Microsoft spokesperson Jeff Jones told The Verge that as the investigation continues, Microsoft has been “reaching out to customers to notify them if they had corresponded with a Microsoft corporate email account that was accessed.” Jones added that the company will continue to coordinate, support, and assist our customers in taking mitigating measures.”
The Midnight Blizzard attack set fuel to a fire Microsoft had already ignited when it oversaw overhauling its cybersecurity systems following multiple security failures. Going forward, Redmond has made security its top priority to restore its customers’ lost trust.
In the News: Almost 10 billion stolen passwords uploaded to cybercrime forum
