According to Reuters, a "highly sophisticated hacking group" caused alarm at Microsoft after it managed to break into the highly sensitive database. At the time, Microsoft has not disclosed the attack, but Reuters reports that five former employees have confirmed the breach occurred.
As reported by Reuters, Microsoft first caught wind of the breach in 2013 after a series of breaches were discovered at Apple, Twitter, Facebook, and other tech companies. The group behind the attack, referred to as Morpho, Butterfly, or Wild Neutron, managed to break into Mac computers used by employees, leveraging them to move on to Microsoft's company networks. In a February 22, 2013, statement, Microsoft confirmed the attack but did not mention that its bug database had been breached.
As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion. We found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected, and our investigation is ongoing.
According to the employees interviewed by Reuters, the flaws likely were fixed "within months of the hack." Though, as Reuters reports, the database was protected with "little more than a password" before the breach, Microsoft bolstered later bolstered security by "walling the database off from the corporate network and requiring two authentications for access."
Still, the hack was cause for much concern because bugs found in the database could have been potentially used in attacks elsewhere before they were patched. According to the report, Microsoft was not able to determine whether the breach had an impact when cross-referencing hacking attacks with bugs in the database at the time of the hack.
These people said the study concluded that even though the bugs in the database were used in ensuing hacking attacks, the perpetrators could have gotten the information elsewhere.
The possibility could not be ruled out, however, as Microsoft relied on automated reports from crashes to track attacks, according to Reuters. That's potentially problematic because it doesn't account for attacks that don't result in crashes, and machines containing highly sensitive information may not allow automatic reporting.
