A Rube Goldberg chain of failures led to breach of Microsoft-hosted government emails
by Wes Davis from The Verge - All Posts on (#6EH3W)
Illustration: The Verge In the first half of July, Microsoft disclosed that the Chinese hacking group Storm-0558 had gained access to emails from around 25 organizations, including agencies in the US government. Today, the company is explaining how that happened thanks to a series of internal errors while sharply underscoring just how serious a responsibility it is to maintain massive, growing software infrastructure in an increasingly digitally insecure world.
According to Microsoft's investigation summary, Storm-0558 was able to gain access to corporate and government emails by obtaining a Microsoft account consumer key," which let them create access tokens to their targets' accounts.
Storm-0558 obtained the key after a Rube Goldberg machine-style series of...