{ "id": "e171a1a1-370c-40d8-a4a0-821ea042a50a", "created_at": "2026-04-06T00:13:52.199743Z", "updated_at": "2026-04-10T03:28:46.855048Z", "deleted_at": null, "sha1_hash": "484f54eaf4131bb0b42820c449f7b079d05cd0ae", "title": "Lapsus$ hackers leak 37GB of Microsoft's alleged source code", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2218948, "plain_text": "Lapsus$ hackers leak 37GB of Microsoft's alleged source code\r\nBy Lawrence Abrams\r\nPublished: 2022-03-22 · Archived: 2026-04-05 13:20:42 UTC\r\nThe Lapsus$ hacking group claims to have leaked the source code for Bing, Cortana, and other projects stolen from\r\nMicrosoft's internal Azure DevOps server.\r\nEarly Sunday morning, the Lapsus$ gang posted a screenshot to their Telegram channel indicating that they hacked\r\nMicrosoft's Azure DevOps server containing source code for Bing, Cortana, and various other internal projects.\r\nScreenshot of Microsoft's Azure DevOps account leaked by Lapsus$\r\nMonday night, the hacking group posted a torrent for a 9 GB 7zip archive containing the source code of over 250 projects\r\nthat they say belong to Microsoft.\r\nhttps://www.bleepingcomputer.com/news/microsoft/lapsus-hackers-leak-37gb-of-microsofts-alleged-source-code/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/microsoft/lapsus-hackers-leak-37gb-of-microsofts-alleged-source-code/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nWhen posting the torrent, Lapsus$ said it contained 90% of the source code for Bing and approximately 45% of the code for\r\nBing Maps and Cortana.\r\nEven though they say only some of the source code was leaked, BleepingComputer is told that the uncompressed archive\r\ncontains approximately 37GB of source code allegedly belonging to Microsoft.\r\nLeaked source code projects\r\nSecurity researchers who have pored over the leaked files told BleepingComputer that they appear to be legitimate internal\r\nsource code from Microsoft.\r\nFurthermore, we are told that some of the leaked projects contain emails and documentation that were clearly used internally\r\nby Microsoft engineers to publish mobile apps.\r\nThe projects appear to be for web-based infrastructure, websites, or mobile apps, with no source code for Microsoft desktop\r\nsoftware released, including Windows, Windows Server, and Microsoft Office.\r\nWhen we contacted Microsoft about tonight's source code leak, they continued to tell BleepingComputer that they are aware\r\nof the claims and are investigating.\r\nLapsus$ leaks data left and right\r\nLapsus$ is a data extortion hacking group that compromises corporate systems to steal source code, customer lists,\r\ndatabases, and other valuable data. They then attempt to extort the victim with ransom demands not publicly to leak the data.\r\nOver the past few months, Lapsus$ has disclosed numerous cyberattacks against large companies, with confirmed attacks\r\nagainst NVIDIA, Samsung, Vodafone, Ubisoft, and Mercado Libre.\r\nSo far, most of the attacks have targeted source code repositories, allowing the threat actors to steal sensitive, proprietary\r\ndata, such as NVIDIA's lite hash rate (LHR) technology that enables graphics cards to reduce a GPU's mining capacity.\r\nIt is unknown how the threat actors are breaching these repositories, but some security researchers believe that they are\r\npaying corporate insiders for access.\r\n\"From my perspective, they keep on getting their access using corporate insiders,\" threat intelligence analyst Tom\r\nMalka told BleepingComputer.\r\nThis theory is not far-fetched, as Lapsus$ has previously announced that they are willing to buy access to networks from\r\nemployees.\r\nhttps://www.bleepingcomputer.com/news/microsoft/lapsus-hackers-leak-37gb-of-microsofts-alleged-source-code/\r\nPage 3 of 5\n\nLapsus$ recruiting corporate insiders\r\nHowever, it may be more than that, as Lapsus$ posted screenshots of their access to what they claim are Okta's internal\r\nwebsites. As Okta is an authentication and identity management platform, if Lapsus$ successfully breached the company,\r\nthey could potentially use that as a springboard to the company's customers.\r\nAs for Lapsus$, they have grown a large following on Telegram, with over 33,000 subscribers on their main channel, and\r\nover 8,000 on their chat channel.\r\nThe extortion group uses their very active Telegram channels to announce new leaks, attacks, and to chat with their fans, and\r\nthey seem to be enjoying the notoriety.\r\nWith the RaidForums data breach forum shut down, we are likely seeing many of the regulars from that site now interacting\r\ntogether in Lapsus$'s Telegram channels.\r\nFor the time being, we will likely see more breaches coming while Lapsus$ and their fans celebrate the data leaks.\r\nhttps://www.bleepingcomputer.com/news/microsoft/lapsus-hackers-leak-37gb-of-microsofts-alleged-source-code/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/microsoft/lapsus-hackers-leak-37gb-of-microsofts-alleged-source-code/\r\nhttps://www.bleepingcomputer.com/news/microsoft/lapsus-hackers-leak-37gb-of-microsofts-alleged-source-code/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/microsoft/lapsus-hackers-leak-37gb-of-microsofts-alleged-source-code/" ], "report_names": [ "lapsus-hackers-leak-37gb-of-microsofts-alleged-source-code" ], "threat_actors": [ { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434432, "ts_updated_at": 1775791726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/484f54eaf4131bb0b42820c449f7b079d05cd0ae.pdf", "text": "https://archive.orkl.eu/484f54eaf4131bb0b42820c449f7b079d05cd0ae.txt", "img": "https://archive.orkl.eu/484f54eaf4131bb0b42820c449f7b079d05cd0ae.jpg" } }