The cloud’s master key got stolen, and twenty-five government agencies got read.

The 2023 incident remains one of the cleanest demonstrations of how cloud-scale identity works against you when it stops working for you. A nation-state actor got hold of a Microsoft signing key. Through a chain of validation gaps that should have stopped them at every step, they used that key to forge tokens that authenticated as anyone they wanted, in any tenant they wanted. Including, as it turned out, the U.S. State Department, the Department of Commerce, and roughly two dozen other organizations.

The investigation that followed was a small masterpiece of “that’s embarrassing.” The key shouldn’t have been able to sign tokens for that environment. It was. The crash dump it ended up in shouldn’t have left the secure environment. It did. The signing infrastructure shouldn’t have allowed scope confusion across tenants. It allowed exactly that.

None of this was visible to the customer. The customer’s email kept arriving. Calendars kept syncing. Auth flows worked. Auditing logs were available, technically, behind a paywall. The breach was discovered when one specific federal agency happened to have purchased the higher-tier logging that made the theft visible. Anyone on the cheaper plan saw nothing.

The lesson here isn’t that the cloud is bad. The lesson is that when your most sensitive communications run on infrastructure where one stolen key can mint passes to your inbox, your security posture is downstream of someone else’s key-management discipline. They don’t work for you. They work for their shareholders. The shareholders, on average, prefer cost cuts to extra HSMs.