Microsoft Source Code Leak: What Lapsus$ Exposed and Its Security Impact

Hackers affiliated with the Lapsus$ group announced that they had infiltrated Microsoft’s Azure DevOps servers and extracted source code from more than 250 internal projects, among them Bing, Cortana and other services.

On a Sunday morning the group posted a screenshot on their Telegram channel showing the compromised Azure DevOps repository. The following night they released a 7‑zip compressed torrent file of about 9 GB, which they claimed contained the source code for the 250+ projects.

The torrent reportedly includes roughly 90 % of Bing Maps dump logs and about 45 % of Bing and Cortana dump logs. Although the hackers said only part of the code was leaked, the uncompressed archive is estimated to be around 37 GB.

Security researchers who examined the files confirmed that the material appears to be genuine Microsoft source code obtained through legitimate internal channels. Some of the leaked projects contain email and documentation assets that Microsoft engineers use for publishing mobile applications.

The disclosed code is limited to web‑based infrastructure, websites and mobile apps; it does not include any desktop software such as Windows, Windows Server, or Microsoft Office.

When contacted, Microsoft acknowledged awareness of the incident and said an investigation was underway. The company has previously stated that it does not rely on source‑code secrecy for product security, suggesting the breach’s overall impact is likely minimal.