Microsoft 'downplayed internal database hack'

But Redmond says bug-tracking database breach did not lead to exploits - report

Microsoft's internal database that it uses to track bugs in its software was reportedly hacked in 2013.

A highly sophisticated hacking group was behind the alleged breach, according to Reuters, which is the second known breach of this kind of corporate database.

Five former employees told the publication about the hack in separate interviews, thoughReuters said Microsoft did not disclose the depth of the attack in 2013.

The database in question contained information on critical and unfixed vulnerabilities found in not only the Windows operating system but also some of the most widely used worldwide software, the publication reported.

Microsoft learned of the breach in early 2013 after a hacking group launched a series of attacks against high profile tech companies including Apple, Twitter and Facebook.

The group exploited a flaw in the Java programming language to access employees' Apple computers, before moving into the company's network, Reuters said.

Microsoft released a short statement following the attack on 22 February 2013 that said: "As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion.

"We found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected, and our investigation is ongoing."

In an email responding to questions fromReuters, Microsoft said: "Our security teams actively monitor cyber threats to help us prioritize and take appropriate action to keep customers protected."

A Microsoft spokesperson toldIT Pro:"In February 2013 we commented on the discovery of malware, similar to that found by other companies at the time, on a small number of computers including some in our Mac business unit. Our investigation found no evidence of information being stolen that could be used in subsequent attacks."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

This contradictsReuters' report, whosesources said that although the bugs in the database had been exploited in hacking attacks, the attackers could have found the information elsewhere.

Reuters saidMicrosoft didn't disclose the breach because of this, and because many patches had already been released to customers.

"They absolutely discovered that bugs had been taken," one source said. "Whether or not those bugs were in use, I don't think they did a very thorough job of discovering."

Following the breach, Microsoft improved its security by separating the database from the corporate network and including two authentications to access the information, Reuters reported.

Mozilla had a similar attack in 2015 when an attacker accessed a database which included information on 10 unpatched flaws. One of the flaws was then used to attack Firefox users, which Mozilla told the public about at the time, telling customers to take action.

Mozilla CBO and CLO Denelle Dixon said the foundation released the information about what it knew in 2015 "not only [to] inform and help protect our users, but also to help ourselves and other companies learn, and finally because openness and transparency are core to our mission."

Advertisement - Article continues below

Reuters wrote that the hacking group has been called Morpho, Butterfly and Wild Neutron but security researchers say it is a proficient and mysterious group and that they cannot determine if it is backed by a state government.

Equifax revelead that a file containing 700,000 UK records was accessed during a data breach in May,giving attackers access to names and contact details. Of that figure, 700,000 accounts had partial credit information and email addresses stolen.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/cloud/cloud-computing/354478/microsoft-has-an-edge-on-aws-according-to-it-executives
cloud computing

Microsoft has an edge on AWS, according to IT executives

8 Jan 2020
Visit/hardware/354336/the-it-pro-products-of-the-year-2019-all-the-years-best-hardware
Hardware

The IT Pro Products of the Year 2019: All the year’s best hardware

24 Dec 2019
Visit/laptops/34636/microsoft-surface-laptop-3-hands-on-review-powerfully-tempting
Laptops

Microsoft Surface Laptop 3 13in review: Almost the perfect laptop

6 Dec 2019
Visit/hardware/laptops/354275/microsoft-surface-laptop-3-15in-review-ryzen-falls
Laptops

Microsoft Surface Laptop 3 15in review: Ryzen falls

4 Dec 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
Visit/business-strategy/mergers-and-acquisitions/354602/xerox-to-nominate-directors-to-hps-board-reports
mergers and acquisitions

Xerox to nominate directors to HP's board – reports

22 Jan 2020