Illustration: The Verge
In the first half of July, Microsoft disclosed that the Chinese hacking group Storm-0558 had gained access to emails from around 25 organizations, including agencies in the US government. Today, the company is explaining how that happened thanks to a series of internal errors while sharply underscoring just how serious a responsibility it is to maintain massive, growing software infrastructure in an increasingly digitally insecure world.
According to Microsoft’s investigation summary, Storm-0558 was able to gain access to corporate and government emails by obtaining a “Microsoft account consumer key,” which let them create access tokens to their targets’ accounts.
Storm-0558 obtained the key after a Rube Goldberg machine-style series of…