It's been a bad couple of years for Microsoft's security and privacy efforts. Misconfigured endpoints, rogue security certificates, and weak passwords have all caused or risked the exposure of sensitive data, and Microsoft has been criticized by security researchers, US lawmakers, and regulatory agencies for how it has responded to and disclosed these threats.
The most high-profile of these breaches involved a China-based hacking group named Storm-0558, which breached Microsoft's Azure service and collected data for over a month in mid-2023 before being discovered and driven out. After months of ambiguity, Microsoft disclosed that a series of security failures gave Storm-0558 access to an engineer's account, which allowed Storm-0558 to collect data from 25 of Microsoft's Azure customers, including US federal agencies.
In January, Microsoft disclosed that it had been breached again, this time by Russian state-sponsored hacking group Midnight Blizzard. The group was able "to compromise a legacy non-production test tenant account" to gain access to Microsoft's systems for "as long as two months."