While Microsoft kept mum publicly about the extent of the hack, internally the company was reportedly panicking after it was discovered the bug tracking database was poorly secured and protected by just a password. The breach impacted a Microsoft database that contained data on unfixed bugs and vulnerabilities in a host of software, including Windows, the report said. However, both the former employees and United States officials who were made aware of the breach had concerns at the time that the exposed information could lead to cyberattacks elsewhere, and eventually infiltrate government and corporate networks.
Such information can be valuable for hackers who can use the databases for guidance on what potential vulnerabilities they can exploit in the future.
Reuters quoted Eric Rosenbach, who was U.S. deputy assistant secretary of defence for cyber at the time, as saying: "Bad guys with inside access to that information would literally have [had] a "skeleton key" for hundreds of millions of computers around the world".
"We found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organisations", Microsoft said at the time.
One ex-employee told Reuters: "They absolutely discovered that bugs had been taken". Usually, engineers fix such flaws before hackers ever know they existed.
The theft occurred in early 2013 amid a string of attacks on other big tech companies like Apple and Facebook. The other three employees weren't so sure. According to the report, Microsoft was not able to determine whether the breach had an impact when cross-referencing hacking attacks with bugs in the database at the time of the hack.
Gotham gets self-driving cars
Cruise Automation, a self-driving software company owned by General Motors , aims to begin testing in NY early next year. If GM gets the green light, it would be the first to test "level 4" autonomous cars in the Big Apple.
The 2013 attacks involved luring company staff to forum websites that had been hacked, where they were exposed to an automated Java exploit that wasn't known to security firms or developers at the time.
Microsoft did not immediately respond to a request for comment on the report.
It is believed the breach, which came shortly after other major tech companies experienced similar intrusions, was carried out by a hacking collective known as Wild Neutron-sometimes also referred to as Morpho or Butterfly.
These people said the study concluded that even though the bugs in the database were used in ensuing hacking attacks, the perpetrators could have gotten the information elsewhere.
More than a week after stories about the breaches first appeared in 2013, Microsoft published a brief statement that portrayed its own break-in as limited and made no reference to the bug database.
But three of the five former staff argued Microsoft's investigation was based in insufficient information, citing its reliance on automated bug reports that aren't generated by sensitive systems.