Microsoft Sued Over Alleged Misuse of Stolen Passwords

Microsoft  (MSFT) - Get Free Report has been sued by a security company that alleges it improperly handled a huge database of personal data.

Hold Security LLC, an intelligence firm headquartered near Milwaukee, says Microsoft misused its collection of more than 360 million logins and passwords.

DON'T MISS: Amazon Has Explicit Words On Concerns It Broke Privacy Laws 

Hold Security claims Microsoft is in breach of contract. The suit was filed in King County Superior Court in Washington state.

"Hold Security LLC's suit alleged it gave Microsoft access in 2014 to more than 360 million stolen account credentials -- consisting of compromised emails and passwords -- for use in protecting Microsoft customers," according to Law360.  "Microsoft, however, in subsequent years, went far beyond the agreed scope of use for the credentials and used the information for its own purposes, including for the administration of Microsoft-owned LinkedIn and Github."

Details From the Lawsuit Emerge

Several years later, after the initial granting of access, in early 2021, the Wisconsin company discovered the improper use, Hold Security said.

"When Hold owner Alex Holden contacted the tech company regarding the discovery, Microsoft 'refused to adhere to the agreed scope of use,'" the complaint claimed, according to Law360.

"Microsoft continued to utilize the accessed stolen account credentials, both matched and unmatched, for its own purposes," the lawsuit said. This use allegedly included the administration of Microsoft-owned LinkedIn and Github.

Microsoft and Hold Security agreed in 2015, the complaint said, that Microsoft would match the stolen credentials with its users so the software company could let them know that their information was affected.

"Microsoft promised to destroy the non-Microsoft domain credentials," Hold Security said, according to Law360.

"But Hold contended Microsoft defied its promises, including around 2018, when it used the stolen account credentials without permission for an updated version of its Active Directory Federation Service, which enables federated identity and access management," according to Law360. "Federated identity management is a system that lets users link their electronic identities, allowing for a single credential to authorize access across multiple applications."

Microsoft Responds to the Complaint

A Microsoft spokesperson made a statement to Law360 regarding the matter.

"Over the past several months, Microsoft has been in contact with Hold Security's representatives in an effort to resolve amicably a dispute over the parties' contractual relationship," the spokesperson said, according to Law360. "Because the claims in the lawsuit do not accurately reflect the contract's terms, Microsoft will be seeking a dismissal of the claims."

"Asked to elaborate on the assertion that the suit doesn’t accurately reflect the contract’s terms," Geekwire (a publication that apparently received a similar statement from Microsoft) reported,  "the spokesperson said details would be included in Microsoft’s forthcoming motion to dismiss the lawsuit."

Law360 provided some additional background on the dispute.

Hold's dealings with Microsoft soured around 2020, according to the suit, soon after the parties renewed their relationship in June 2020 through an additional master supplier services agreement.

The following month, Microsoft representatives sought to purchase historical account credentials — a sale Hold was "ethically and legally unable" to pursue given the nature of the information, the suit alleged. That's when Microsoft instead "chose to commandeer the historical data," Hold said, and allowed third parties to use the allegedly commandeered data through the Microsoft Edge web browser.

Hold claimed Microsoft also retaliated against it following Alex Holden's October 2020 comments to an industry publication which said Microsoft's efforts to disrupt "TrickBot" malware were not yet a "decisive victory." A Microsoft employee directed other employees to stop working with Hold, the suit said, resulting "in a significant loss of business for Hold."

The company lost out on business again when a then-Microsoft employee posted "false information about Hold" to Twitter, resulting in Hold losing "a key member of its board of advisors," the complaint alleged.

Get exclusive access to portfolio managers and their proven investing strategies with Real Money Pro. Get started now.