Microsoft(US:MSFT) TechCrunch·2025-01-10 23:38Legal Action and Security Breach - Microsoft filed a complaint in December 2024 in the U.S. District Court for the Eastern District of Virginia against a group of unnamed defendants for allegedly using stolen customer credentials and custom-designed software to breach the Azure OpenAI Service [1] - The company discovered in July 2024 that stolen API keys were used to generate content violating the service's acceptable use policy [2] - Microsoft accuses the defendants of violating the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, and a federal racketeering law by illicitly accessing and using Microsoft's software and servers to create "offensive" and "harmful and illicit content" [8] Tools and Techniques Used by Defendants - The defendants allegedly used a tool called de3u, which allowed them to generate images using DALL-E without writing their own code and bypass Microsoft's content filtering [6] - De3u also attempted to prevent the Azure OpenAI Service from revising prompts used to generate images, enabling the defendants to reverse engineer means of circumventing Microsoft's content and abuse measures [6][7] - The defendants created a client-side tool called de3u and software for processing and routing communications from de3u to Microsoft's systems as part of a "hacking-as-a-service" scheme [9] Microsoft's Response and Countermeasures - Microsoft is seeking injunctive and "other equitable" relief and damages against the defendants [5] - The court authorized Microsoft to seize a website instrumental to the defendants' operation, allowing the company to gather evidence and disrupt additional technical infrastructure [7] - Microsoft has implemented unspecified countermeasures and added additional safety mitigations to the Azure OpenAI Service targeting the observed activity [10] API Key Theft and Impact - The defendants engaged in a pattern of systematic API key theft, enabling them to steal Microsoft API keys from multiple customers [9] - Stolen Azure OpenAI Service API keys belonging to U.S.-based customers were used to create the "hacking-as-a-service" scheme [9]