Microsoft stands accused by cyber intelligence firm Hold Security of violating an agreement between the pair by misusing Hold’s database of more than 360 million sets of credentials culled from the dark web.
In a lawsuit filed in King County Superior Court in Washington, Hold said it had an agreement with Microsoft going back to 2014 to grant the Windows giant access to its database of compromised accounts with the expectation that Microsoft would limit use to matching Hold’s records against Microsoft customer accounts.
“The purpose of the parties’ agreements … was for Microsoft to match the received stolen credentials with their own customers’ account credentials… in order to alert these customers of the compromised information,” Hold’s lawyers said in the lawsuit.
Data that didn’t match Microsoft accounts was not to be used, and data linked to accounts was to be deleted after individuals were notified and the issue was resolved. Microsoft conformed to neither of those agreed-upon terms, the lawsuit alleges.
Allegations of misuse …
The bad behavior began four years after Hold and Microsoft began doing business, the suit claims.
Microsoft “improperly and without authorization utilized stolen account credentials accessed through hold in creating” Active Directory Federation Services (ADFS), Microsoft’s on-prem security token service, the suit claims.
It’s unclear how Microsoft used the stolen credentials to create ADFS; we’ve asked Hold’s legal team for more details but haven’t heard back.
The suit also accuses Microsoft of “improperly and without authorization” using stolen accounts in Hold’s database in its administration of LinkedIn and GitHub, both of which were acquired after the initial statement of work that defined which domains Microsoft could collect data for.
The lawsuit further accuses Microsoft of “commandeering” historical data, which it then made available to third parties through its Edge browser. How that data was made accessible isn’t clear in the lawsuit – we asked Hold’s lawyers about that too.
Along with all of the above, the suit claims “upon information and belief” that “there may have been additional misuse of the data.”
Hold claims in the suit to have discovered in 2021 that Microsoft had been “wrongfully retain[ing] stolen account credentials in contravention of the parties’ agreement,” and that Hold CEO Alex Holden contacted Microsoft to discuss the issue.
“Microsoft refused to adhere to the agreed scope of use. Microsoft continued to utilize the accessed stolen account credentials, both matched and unmatched, for its own purposes,” the lawsuit alleges.
… and abuse
Along with claiming that Microsoft was collecting and using data in violation of its agreements with Hold, the lawsuit also alleges Microsoft waged a harassment campaign against Hold and Holden when the companies began to have issues.
Hold’s lawyers claim Microsoft directed its employees to cease working with Hold after Holden made claims critical of Microsoft’s takedown of the TrickBot network, and that Microsoft employees tweeted false information that made cybersecurity journalist Brian Krebs resign from Hold’s board, a report Krebs disputed.
Krebs said in 2020 that he was never paid for his work with Hold. He added in an email to GeekWire recently: “I asked Alex to remove my name after 10 years because his company appeared to be prospering, and because [Microsoft’s] tweet wasn’t the first time someone called attention to [Krebs being on Hold’s board] without any context, or hinting at something nefarious.”
A spokesperson at Microsoft sent us a statement:
“Over the past several months, Microsoft has been in contact with Hold Security’s representatives in an effort to resolve amicably a dispute over the parties’ contractual relationship. Because the claims in the lawsuit do not accurately reflect the contract’s terms, Microsoft will be seeking a dismissal of the claims.” ®