When Microsoft discovered in 2013 that hackers had breached the secret internal database it uses to track vulnerabilities, it quietly upped its security, segmenting the database from its network and compelling two-factor authentication.
The database was populated with information on critical flaws, many of those unfixed, in the company's software that were of great value to hackers, five former Microsoft employees told Reuters.
“From the adversary perspective, having access to critical and unfixed vulnerabilities is the ‘holy grail,'” said Dmitri Alperovitch, co-founder and CTO at CrowdStrike.
The company probably patched the vulnerabilities within months of discovering the breach, the report said.
“We may be seeing the ripple effects of this hack for some time and many businesses may end up suffering stealthy compromises,” said Alperovitch. “The key question to answer is how long they may have had access and what entry points were established during that time.”
The company reportedly reviewed breaches at other companies to see if any of the information taken from its databas had been used in those incidents.
While Microsoft didn't speak to Reuters about the breach, it did say in a statement,“Our security teams actively monitor cyber threats to help us prioritize and take appropriate action to keep customers protected.”
The database compromise, though, “highlights that everyone is vulnerable to sophisticated intrusions,” said Alperovitch.