An internal database used by developers at Microsoft to track bugs and potential security flaws in the Windows operating system was compromised by hackers in 2013, in an attack that Microsoft is accused of having covered up.
The hack, which is only the second known breach of such a corporate database, was revealed by five ex-Microsoft employees, who described it to newswire Reuters in separate interviews. Microsoft, however, has not disclosed the extent of the breach.
The company reportedly learnt of the breach in early 2013 after a hacking group launched a series of attacks against high-profile tech firms, including Apple, Twitter and Facebook.
The hacking group in question, known as called Morpho, Butterfly and Wild Neutron by security researchers, is said to have exploited vulnerabilities in Java in order to penetrate employees' Apple computers and then company networks.
The five ex-employees said the company's officials became concerned once they realised that the database, which contained descriptions of critical and unfixed vulnerabilities in Windows, had been accessed. The database had reportedly been poorly protected with only a password required to access it.
While Microsoft failed to disclose the breach and had reportedly fixed the flaws "within months of the attack", three of the ex-employees interviewed by Reuters said that the stolen bugs may have been used in attacks following the breach.
"They absolutely discovered that bugs had been taken," one source said. "Whether or not those bugs were in use, I don't think they did a very thorough job of discovering."
Microsoft released a terse statement following the attack on 22 February 2013. It said: "As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion.
"We found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected, and our investigation is ongoing."
Microsoft tightened up security after the breach, the former employees said, walling the database off from the corporate network and requiring two-factor authentication for access.
After firing off writs against AMD and Intel, ambulance-chasing lawyers take aim at Apple
Scientists claim to have found a way to create lighter and more reliable batteries
A malicious script has been in operation since November
Scientists are crowdsourcing help in detecting rare high-energy cosmic rays - and all you need is a mobile phone