Security on Microsoft's internal systems is usually pretty tight, but apparently in early 2013, a hacker group managed to breach the network and gain access to the company's database of vulnerabilities that were in existence for all of its software, five former employees said.
Microsoft did disclose the attack in a brief statement at the time, saying:
"As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion. We found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected, and our investigation is ongoing."
However, that statement falls far short of revealing the full extent of the hack. With access to known holes in Microsoft's software, including the Windows operating system, the hackers could have easily developed malware and tools to exploit those vulnerabilities.
“Bad guys with inside access to that information would literally have a ‘skeleton key’ for hundreds of millions of computers around the world,” Eric Rosenbach, who was U.S. deputy assistant secretary of defense for cyber at the time, told Reuters.
After the breach, the former employees said that Microsoft went back and looked at hacks that happened to other companies to see if their loopholes were at fault before fixes had been implemented. The conclusion was that even though the bugs in the database were used in ensuing breaches, the information used by the hackers was also available elsewhere. That determination was the reason for Microsoft's failure to disclose the full extent of the hack, especially since many of the bugs had already been patched, the ex-employees said.
One, however, said that the company did a poor job of follow-up. “They absolutely discovered that bugs had been taken. Whether or not those bugs were in use, I don’t think they did a very thorough job of discovering.”
Security was tightened after the breach, with the database separated from the main network, and two-factor authentication required to gain access.
The former employees said that the flaws were likely fixed within months of the attack, but that type of access could easily have led to massive breaches at other companies. If those types of hack did occur, they have gone unreported.
Mark Weatherford, U.S. Homeland Security deputy undersecretary for cybersecurity at the time of the Microsoft breach, told Reuters that all companies need to treat their accurate bug reports as "keys to the kingdom," giving them as much, if not more, security than that of their main network.
In contrast, Mozilla had a similar hack in 2015 where hackers got hold of 10 unpatched flaws in the Firefox browser. Mozilla disclosed the info to users at the time to “not only inform and help protect our users, but also to help ourselves and other companies learn, and finally because openness and transparency are core to our mission.” Chief Business and Legal Officer Denelle Dixon said.
As hackers become more sophisticated, companies must become equally vigilant in protecting their data. However, vulnerabilities will continue to occur, making it essential that the companies affected by breaches remain open with their customer base to protect them and build the trust that the companies will do everything they can to safeguard their users' data and privacy.