Microsoft Sued for Allegedly Misusing Stolen Passwords

A security firm has filed a lawsuit against Microsoft, alleging that the company misused a database of stolen passwords

Software giant Microsoft (MSFT) is being sued by cybersecurity firm Hold Security LLC, which claims that the company mishandled a vast database containing over 360 million logins and passwords. Hold Security alleges that Microsoft violated their contractual agreement by exceeding the agreed scope of use for the stolen account credentials. The lawsuit was filed in King County Superior Court in Washington state.

According to Hold Security, the firm provided Microsoft with access to the compromised emails and passwords in 2014 to help protect Microsoft customers. However, in subsequent years, Microsoft allegedly used the information beyond the agreed-upon purpose, including for the administration of Microsoft-owned LinkedIn and Github. Hold Security discovered the improper use in early 2021 and contacted Microsoft, but the tech company refused to adhere to the agreed scope of use.

The lawsuit claims that Microsoft continued to utilize both matched and unmatched stolen account credentials for its own purposes, even though the agreement stipulated that non-Microsoft domain credentials would be destroyed. Hold Security further contends that Microsoft used the stolen account credentials without permission for an updated version of its Active Directory Federation Service, which enables federated identity and access management.

In response to the complaint, a Microsoft spokesperson stated that the claims in the lawsuit do not accurately reflect the terms of the contract. Microsoft has been in contact with Hold Security’s representatives in an attempt to resolve the dispute amicably. The spokesperson also mentioned that Microsoft plans to seek a dismissal of the claims and will provide further details in its forthcoming motion.

The dispute between Hold Security and Microsoft reportedly soured around 2020 after the parties renewed their relationship. Hold alleges that Microsoft attempted to purchase historical account credentials, which Hold was unable to pursue due to ethical and legal reasons. As a result, Microsoft allegedly commandeered the data and allowed third parties to use it via the Microsoft Edge web browser. Hold also claims that Microsoft retaliated against them, resulting in a significant loss of business and damaging their reputation.

The lawsuit highlights the importance of proper data handling and adherence to contractual agreements in the cybersecurity and technology industry. As the case unfolds, the outcome will shed light on the responsibilities of tech companies when it comes to protecting personal data and respecting the terms of their agreements with cybersecurity firms like Hold Security.