Security

Microsoft's vulnerability database hacked in 2013, public kept in dark

In a Reuters report, former Microsoft employees detailed how Microsoft's internal bug database was breached, and how the firm responded.

Microsoft suffered an internal breach back in 2013, and quietly patched the flaws without disclosing the event to the public, Reuters reported on Tuesday. The breach impacted a Microsoft database that contained data on unfixed bugs and vulnerabilities in a host of software, including Windows, the report said.

Reuters learned of the breach from five former employees, who described it to the publication. The attack was "only the second known breach of such a corporate database," Reuters reported.

The bigger issue in this whole debacle is the Microsoft database's contents. According to the Reuters report, the database contained information on unfixed flaws and vulnerabilities in Microsoft software, some of which was in wide use around the world. And it was poorly protected, the former employees said, with only a simple password locking it down.

SEE: Information security incident reporting policy template (Tech Pro Research)

The former Microsoft employees told Reuters that the flaws within the database were probably patched within a few months of the breach's discovery. However, they noted, if that information was compromised, it could have been used to initiate devastating attacks on other networks.

Eric Rosenbach, the US deputy assistant secretary of defense for cyber at the time of the breach, told Reuters that access to the information in that database would have given attackers "a 'skeleton key' for hundreds of millions of computers around the world."

To be fair, Microsoft could have been keeping the breach a secret in an effort not to alert potential attackers of its database full of vulnerabilities. Making such information public could have invited future attacks.

Microsoft found no evidence that the information in the database had been used in an attack, which two employees said was probably the case, Reuters reported. The other three employees weren't so sure. But Microsoft did increase security after the attack.

After similar attacks hit Facebook and Apple, Microsoft released a statement on its blog declaring that it had "experienced a similar security intrusion." However, the firm did not disclose the full extent of the attack, Reuters reported.

In the wake of the attack, the former employees are still mixed in the reactions to the way Microsoft responded. Some said they believe that the company didn't do a thorough enough job of figuring out whether or not the flaws in the database had been used in subsequent attacks, the report said.

The 3 big takeaways for TechRepublic readers

  1. An internal Microsoft database was hacked in 2013, and the company didn't disclose the full nature of the breach to the public, Reuters reported.
  2. The database contained information on active software bugs and vulnerabilities, which could have been used to mount serious cyberattacks in the future.
  3. The former Microsoft employees who described the breach to Reuters said that the database was poorly protected, and Microsoft didn't do a thorough job finding out whether its flaws were used in other cyberattacks.

Also see

About Conner Forrest

Conner Forrest is a Senior Editor for TechRepublic. He covers enterprise technology and is interested in the convergence of tech and culture.

Editor's Picks

Free Newsletters, In your Inbox