Microsoft’s Secret Bug Database was Hacked in 2013

Microsoft Launches Project Spartan Bounty

Technology giant Microsoft never disclosed a major breach of its internal database tracking bugs, a report has revealed.

Microsoft’s internal database of bugs contains security flaws and exploits of its software in a secretive stash, a database of bugs that the company uses to track and record vulnerabilities. According to five former employees who spoke to Reuters, a highly sophisticated hacking group breached the database over four years ago in 2013.

The former employees spoke to Reuters about the incident, which was never disclosed by Microsoft to the public or its customers after discovering the breach soon after.

‘The database contained descriptions of critical and unfixed vulnerabilities in some of the most widely used software in the world, including the Windows operating system,” the Reuters report read. ‘Spies for governments around the globe and other hackers covet such information because it shows them how to create tools for electronic break-ins.’

According to the employees, Microsoft fixed the flaws within months of the hack. Still, the breach could yet have repercussions as U.S. officials – now informed of the breach – are concerned about the ways in which the sophisticated group of hackers could have used the intel to carry out attacks elsewhere, on individuals, corporations and government networks alike.

The sophisticated group has been variously called Morpho, Butterfly and Wild Neutron and broke into other major tech giants including Apple, Facebook and Twitter. It is yet unknown if the group is sponsored by a state but the discreet group remains one of the most proficient and mysterious hacking groups out there.

Microsoft looked at breaches of other organizations soon after learning of the attack and found no credible evidence that the stolen information was used to exploit companies suffering those breaches, according to the former employees. While two employees steadfastly stand by the assessment, three insist that the study done by Microsoft had too little data to be conclusive.

“Bad guys with inside access to that information would literally have a ‘skeleton key’ for hundreds of millions of computers around the world,” said US deputy assistant secretary of defense for cyber Erin Rosenbach.

Image credit: Wikimedia.