Microsoft denies these allegations, claiming that Hold Security is mischaracterizing the agreement and dismissing the claims made by the cybersecurity firm in the lawsuit.
The tech giant Microsoft is in hot water again, this time for allegedly misusing stolen credentials. Cyber intelligence firm Hold Security LLC has accused the company and filed a lawsuit in King County Superior Court in Seattle, Washington.
The company has accused Microsoft of misusing over 360 million compromised credentials collected from the Dark Web, which were part of Hold Security’s database. For your information, Hold Security LLC is a cybersecurity company that specializes in threat intelligence, dark web breach monitoring, and incident response services.
Hold Security’s Stance
Hold Security had signed an agreement with Microsoft in 2014 to grant the latter access to its database containing compromised login IDs and passwords to secure its customers. Now, the Milwaukee-based firm claims that Microsoft violated several terms of this agreement, such as not destroying credentials unassociated with Microsoft.
Per Hold Security, Microsoft could only access its customers’ records and delete the data linked to those accounts after notifying the customers. However, the Redmond-based firm didn’t comply and misused the database.
“The purpose of the parties’ agreements … was for Microsoft to match the received stolen credentials with their own customers’ account credentials… in order to alert these customers of the compromised information,” stated Hold Security’s legal team.
Details of the Lawsuit
The lawsuit is based on two acquisitions- a Twitter exchange between two renowned personalities from the cybersecurity fraternity and Microsoft’s effort to disrupt the criminal network operating Trickbot malware.
The alleged misuse of the database started four years back. It is claimed that Microsoft “improperly and without authorization” accessed stolen account credentials to create its on-prem security token service, Active Directory Federation Services/ADFS. However, it is yet unclear how Microsoft used these credentials to create the service.
In addition, the company is accused of using accounts in Hold’s database improperly and without authorization for administering GitHub and LinkedIn. It is worth noting that Microsoft acquired these services after the agreement was signed between the two companies.
Furthermore, Microsoft is accused of “commandeering” historical data and sharing it with third parties via the Edge browser. It also needs to be clarified how it was shared. Hold Security also suspects that Microsoft misused its data in several other ways.
The company discovered this misuse in 2021, after which its CEO, Alex Holden, discussed this issue with Microsoft. Holden also claimed that Microsoft ran a harassment campaign against himself and his company after an agreement violation was discovered, asking employees to stop working with Hold Security when Microsoft took down the TrickBot network.
Moreover, Holden stated that Microsoft employees posted false information on Twitter, which forced cybersecurity journalist Brian Krebs to resign from Hold Security’s board. Krebs didn’t validate this claim, though.
Conversely, Microsoft denies these allegations, claiming that Hold Security is mischaracterizing the agreement, and dismissed the claims made by the cybersecurity firm in the lawsuit. Here’s the statement released by Microsoft to counter Hold’s claims.
“Over the past several months, Microsoft has been in contact with Hold Security’s representatives in an effort to resolve amicably a dispute over the parties’ contractual relationship. Because the claims in the lawsuit do not accurately reflect the contract’s terms, Microsoft will be seeking a dismissal of the claims.”
Microsoft will be sharing more details in an upcoming dismissal motion. Therefore, stay tuned; this article will be updated accordingly.