Former Microsoft Employees Say Company Kept Mum About A Secret Database Hack In 2013

Hacking happens all the time, and when it affects a large number of people, companies typically disclose the breach. Not always, of course, sometimes not even in a timely manner. As it pertains to Microsoft, something a little different occurred several years ago. Several former employees say a sophisticated hacking group busted into a secret internal database, which Microsoft never made public.

Five ex-employees each told Rueters the same thing in separate interviews. All of them claim the breach happened in 2013, with Microsoft responding in private rather than disclosing the extent of the attack to the public or its customers. The database in question is said to have contained descriptions of critical and unpatched vulnerabilities in popular software programs, including Windows.

Image Source: Flickr (Rory Finneren)

Unfixed flaws are sought after by some foreign governments and malicious hackers in general. There are even companies out there that pay big money for certain software vulnerabilities. For example, a company called Zerodium offered a $1 million reward to the first three people or teams to provide a remote jailbreack for Apple's iOS 9 software in 2015, and has since upped the ante to $1.5 million.

"Bad guys with inside access to that information would literally have a ‘skeleton key’ for hundreds of millions of computers around the world,” said Eric Rosenbach, who was serving as US deputy assistant secretary of defense for cyber when the database breach occurred.

In all likelihood, Microsoft fixed the flaws that were discovered within a few months of the breach. However, both the former employees and US officials who were made aware of the breach had concerns at the time that the exposed information could lead to cyberattacks elsewhere, and eventually infiltrate government and corporate networks.

Microsoft investigated subsequent breaches at other organizations and did not find any evidence that any of them occurred as a result of information being stolen from its databases. The former employees are less sure, however, with three of them noting that the study did not have enough information to draw that conclusion.

There has only been one time when a breach of a big database has been disclosed, and that happened in 2015 at Mozilla, the company behind the Firefox web browser.

Thumbnail Image Source: Flickr (Julien GONG Min)