Microsoft’s secret internal database for tracking bugs in its own software was broken into by a highly sophisticated hacking group more than four years ago, according to five former employees, in only the second known breach of such a corporate database.
The company did not disclose the extent of the attack to the public or its customers after its discovery in 2013, but the five former employees described it to Reuters in separate interviews.
Microsoft declined to discuss the incident.
The database contained descriptions of critical and unfixed vulnerabilities in some of the most widely used software in the world, including the Windows operating system.
Spies for governments around the globe and other hackers covet such information because it shows them how to create tools for electronic break-ins.
The Microsoft flaws were fixed likely within months of the hack, according to the former employees. Yet speaking out for the first time, these former employees as well as US officials informed of the breach by Reuters said it alarmed them because the hackers could have used the data at the time to mount attacks elsewhere, spreading their reach into government and corporate networks.
"Bad guys with inside access to that information would literally have a 'skeleton key' for hundreds of millions of computers around the world," said Eric Rosenbach, who was US deputy assistant secretary of defence for cyber at the time.
Companies of all stripes now are ramping up efforts to find and fix bugs in their software amid a wave of damaging hacking attacks. Many firms, including Microsoft, pay security researchers and hackers "bounties" for information about flaws – increasing the flow of bug data and rendering efforts to secure the material more urgent than ever.
In an email responding to questions from Reuters, Microsoft said: "Our security teams actively monitor cyber threats to help us prioritise and take appropriate action to keep customers protected."
Sometime after learning of the attack, Microsoft went back and looked at breaches of other organisations around then, the five ex-employees said. It found no evidence that the stolen information had been used in those breaches.
Two current employees said the company stands by that assessment. Three of the former employees assert the study had too little data to be conclusive.
Microsoft tightened up security after the breach, the former employees said, walling the database off from the corporate network and requiring two authentications for access.
The dangers posed by information on such software vulnerabilities became a matter of broad public debate this year, after a National Security Agency stockpile of hacking tools was stolen, published and then used in the destructive "WannaCry" attacks against UK hospitals and other facilities.
After WannaCry, Microsoft President Brad Smith compared the NSA's loss to the "the US military having some of its Tomahawk missiles stolen," and cited "the damage to civilians that comes from hoarding these vulnerabilities."
Only one breach of a big database from a software company has been disclosed. In 2015, the nonprofit Mozilla Foundation - which develops the Firefox web browser - said an attacker had gotten access to a database that included 10 severe and unpatched flaws. One of those flaws was then leveraged in an attack on Firefox users, Mozilla disclosed at the time.
In contrast to Microsoft's approach, Mozilla provided extensive details of the breach and urged its customers to take action.
Mozilla Chief Business and Legal Officer Denelle Dixon said the foundation told the public about what it knew in 2015 "not only inform and help protect our users, but also to help ourselves and other companies learn, and finally because openness and transparency are core to our mission."
The Microsoft matter should remind companies to treat accurate bug reports as the "keys to the kingdom," said Mark Weatherford, who was deputy undersecretary for cyber security at the US Department of Homeland Security when Microsoft learned of the breach.
Like the Pentagon's Rosenbach, Weatherford said he had not known of the Microsoft attack. Weatherford noted that most companies have strict security procedures around intellectual property and other sensitive corporate information.
"Your bug repository should be equally important," he said.
Read more on the next page...