Microsoft’s internal database for bug tracking was hacked over 4 years ago. The hack was already discovered in 2013 but was never disclosed to the public. The hacked database contained a list of secret security flaws and possible exploits within its widely used software. They managed to fix the issue within months after that. However, something that is disturbing is that the public was never informed. During the months Microsoft was creating solutions to combat the possible exploits, the public was exposed to numerous threats without knowing about it.
The company checked to see if the leaked information had been used in other breaches around that same time, before Microsoft was able to patch them. According to insiders they were unable to link the hack to any other breaches happening before that. Since then the company has put more emphasis on internal security and former employees state that hacks like this will probably not occur anymore in the future.
But the fact remains the public should have been informed, even if it meant that the hackers likely would have used the exploits more aggressively since they knew the hack was discovered. If the public had been informed about what happened, companies, users and even governments could have taken preventative measures to ensure their security. The fact that Microsoft didn’t disclose that the breach occurred isn’t a great move at all.
“Bad guys with inside access to that information would literally have a ‘skeleton key’ for hundreds of millions of computers around the world,” said Eric Rosenbach, the U.S. deputy assistant secretary of defense for cyber at the time.
The dangers posed by information on such software vulnerabilities became a matter of broad public debate this year, after a National Security Agency stockpile of hacking tools was stolen, published and then used in the destructive “WannaCry” attacks against U.K. hospitals and other facilities.
Only one breach of a big database from a software company has been disclosed. In 2015, the nonprofit Mozilla Foundation – which develops the Firefox web browser – said an attacker had gotten access to a database that included 10 severe and unpatched flaws. One of those flaws was then leveraged in an attack on Firefox users, Mozilla disclosed at the time.
In contrast to Microsoft’s approach, Mozilla provided extensive details of the breach and urged its customers to take action.