Lapsus$ Claims Massive Microsoft Azure DevOps Source Leak – What Was Exposed?

Lapsus$ claims to have leaked source code stolen from Microsoft’s internal Azure DevOps servers, covering Bing, Cortana and numerous other projects.

On Sunday morning the group posted a screenshot on its Telegram channel indicating the breach.

On Monday night Lapsus$ released a 7‑zip compressed torrent of about 9 GB that allegedly contains source code for more than 250 Microsoft projects, stating it includes roughly 90 % of Bing Maps dump logs and about 45 % of Bing and Cortana dump logs.

According to BleepingComputer, the uncompressed archive is roughly 37 GB of source code claimed to belong to Microsoft.

Security researchers who examined the files say they appear to be genuine Microsoft internal source code; some of the leaked projects involve email and documentation used by engineers for mobile app releases.

The leaked material is limited to web‑based infrastructure, websites or mobile applications and does not contain source code for Microsoft’s desktop software such as Windows, Windows Server or Microsoft Office.

When contacted, Microsoft confirmed awareness of the incident and said an investigation is underway, noting that the company does not rely on source‑code protection for product security, so the breach’s impact should be minimal.

Reports suggest the leader of Lapsus$ is a 16‑year‑old autistic male living in the UK, known online as SigmA, wh1te, Breachbase or Alexander Pavlov, though the group later denied his arrest.