Microsoft suffered an internal bug database hack in 2013 and didn't tell anyone
Four and a half years ago, an internal bug-tracking database at Microsoft was breached by a "highly sophisticated hacking group," according to five former employees of the company. The hack of the secret database was never made public.
It is believed that this is only the second time such a corporate database has been breached. US officials were alarmed to learn of the hack which could have exposed software vulnerabilities to the attackers, reports Reuters.
The five former employees spoke to Reuters separately, saying that the database had been poorly protected. Microsoft has declined to speak about the matter, beyond saying: "Our security teams actively monitor cyber threats to help us prioritize and take appropriate action to keep customers protected."
When Reuters told US officials about the security breach, Eric Rosenbach -- deputy assistant secretary of defense for cyber at the time of the attack -- said:
Bad guys with inside access to that information would literally have a "skeleton key" for hundreds of millions of computers around the world.
When Microsoft discovered the security breach, it cross-referenced breaches of other companies that followed and concluded that no data contained in the database had been used to carry out other attacks. The former employees say that Microsoft increased security following the breach, and sandboxed the database away from corporate networks, and introduced dual authentication for access.
It is thought the attack was carried out by a group known as Morpho, Butterfly and Wild Neutron which also attacked Facebook, Apple and Twitter. Microsoft made no public acknowledgement of its database breach, but issued a statement in February 2013 that said:
As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion. We found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected, and our investigation is ongoing.