[Update, Dec. 8, 2023: A federal judge in Seattle granted Microsoft’s motion to dismiss this suit by Hold Security LLC, but left the door open for the Milwaukee-area company to refile its complaint.]
A security threat intelligence firm alleges that Microsoft misused the firm’s database of more than 360 million compromised account logins and passwords, culled from the dark web.
The firm, Hold Security LLC, based in the Milwaukee area, says Microsoft didn’t keep its promise to destroy its copies of credentials not associated with Microsoft logins after using them to help secure its own customers.
Microsoft says the allegations mischaracterize its agreement with the firm. The Redmond-based company says it will seek to dismiss a lawsuit filed by Hold Security this week in King County Superior Court in Seattle.
The suit touches on two of Microsoft’s biggest acquisitions; a Twitter exchange between two well-known figures in cybersecurity; and the tech giant’s efforts to disrupt the criminal network behind the Trickbot malware.
Database of stolen credentials: The suit explains, “In early 2014, Hold, through confidential business practices and its own work product, obtained access to over 360 million stolen account credentials on the Dark Web. These account credentials consisted of compromised emails and passwords.”
According to the suit, Microsoft contracted with Hold to use the credentials to help secure its customers, alerting them that their logins and passwords were compromised. The suit says any stolen credentials not matching a Microsoft account “were not to be used by Microsoft and were to be destroyed by Microsoft.”
“This was a critical aspect of the parties’ understandings and agreement,” it adds. “Neither Microsoft nor Hold contemplated or communicated a use for the stolen account credentials outside of only protecting Microsoft’s then-existing customers.”
Allegations of misuse: Hold Security alleges in the suit that Microsoft improperly applied the stolen credentials, beyond the scope of their 2015 agreement, to Active Directory Federation Services (AD FS), and to LinkedIn and GitHub, two companies acquired by Microsoft in 2016 and 2018, respectively.
The suit alleges that Microsoft used the stolen credentials “in its administration of” LinkedIn and GitHub, but does not give further detail on that point. Lawyers for Hold Security did not respond to requests for comment this week.
“Hold was not aware of Microsoft’s improper use of the stolen account credentials in the AD FS, LinkedIn, and Github transactions, and, upon information and belief, believes there may have been additional misuse of the data outside of those delineated above,” the suit says.
The suit alleges that Microsoft later “commandeered” Hold Security’s database of stolen credentials and improperly allowed third parties to use Hold’s services through its Edge web browser, after Microsoft ended additional licensing talks with Hold Security in 2020.
Microsoft response: “Over the past several months, Microsoft has been in contact with Hold Security’s representatives in an effort to resolve amicably a dispute over the parties’ contractual relationship,” a Microsoft spokesperson said in a statement. “Because the claims in the lawsuit do not accurately reflect the contract’s terms, Microsoft will be seeking a dismissal of the claims.”
Asked to elaborate on the assertion that the suit doesn’t accurately reflect the contract’s terms, the spokesperson said details would be included in Microsoft’s forthcoming motion to dismiss the lawsuit.
Allegations of retaliation: The suit also makes claims of retaliation, alleging that Microsoft sought to undermine Hold Security after its owner, Alex Holden, told a reporter in October 2020 that Microsoft’s efforts to disrupt the criminal operation behind the Trickbot malware were not a “decisive victory.”
Hold Security alleges that a leader of Microsoft’s Digital Crimes Unit instructed Microsoft employees to stop doing business with the firm.
“Microsoft seemingly took issue with Mr. Holden’s public comments and decided to retaliate against Hold,” the suit says, in part. “This resulted in a significant loss of business for Hold.”
October 2020 Twitter exchange: In the same vein, the suit cites an October 2020 Twitter exchange between Kevin Beaumont, who was then a Microsoft senior threat intelligence analyst; and cybersecurity journalist Brian Krebs.
A tweet by Beaumont at the time linked to an Oct. 28, 2020, story by Krebs that cited Holden as a source. Beaumont noted that Hold Security listed Krebs “on their board” on its website at the time.
The Hold Security site listed Krebs as a member of the Hold Security advisory board (see archive here).
On Twitter at the time, Beaumont added, “it is not a slam at Hold Security, Brian Krebs or the overall hospital ransomware story. I was just surprised to see a journalist listed as a board member on a cybersecurity company mixed in a big Trickbot story.”
Krebs responded at the time that he was an unpaid advisor.
Contacted via email this week about the suit, Krebs elaborated:
Alex and I started our own companies at roughly the same time, and when he asked if I would be on his advisory board I didn’t hesitate, because I wanted to see him succeed. I neither expected nor received compensation in return. I asked Alex to remove my name after 10 years because his company appeared to be prospering, and because Mr. Beaumont’s tweet wasn’t the first time someone called attention to it without any context, or hinting at something nefarious.
The suit alleges that Beaumont, “on behalf of Microsoft, tweeted false information about Hold, which resulted in Hold losing a key member of its board of advisors – Brian Krebs. This resulted in additional loss of business for Hold.”
Beaumont, who no longer works for Microsoft, said this week that the suit’s statements about him weren’t true, and that Microsoft never directed him to tweet anything about Hold Security or anything related to the situation.
“I only ever had one request to tweet something at Microsoft, which was a marketing blog about firmware attacks — I declined as it wasn’t good,” Beaumont said. “I never knew about a data sharing agreement, nor worked in an area that used said data — I was in a different business unit.”
Beaumont said he agreed with Hold Security that Microsoft’s attempted takedown of Trickbot wasn’t successful.
Here’s the lawsuit:
Hold Security v. Microsoft by GeekWire on Scribd
