Microsoft’s internal database of known software vulnerabilities, which included details of flaws in both its software and software made by others, was hacked in 2013, according to a new report.
Citing five former employees of the company, Reuters reported Tuesday that “a highly sophisticated hacking group” gained access to the database four years ago, a serious breach of its security defenses that Microsoft never disclosed. Microsoft fixed the flaws related to its software soon after the breach, according to Reuters, but it’s not clear if other products were exploited thanks to the hack.
Modern security teams research flaws in all kinds of software, not just the software built and maintained by their corporations. Microsoft and Google’s security teams, for example, have each disclosed flaws in each other’s products over the years, a process which when properly vetted is less about scoring competitive points and more about fixing holes as quickly as possible.
But it doesn’t appear that Microsoft ever informed any of the companies responsible for the software flaws detailed in its database that those vulnerabilities had been discovered by criminals. Several tech companies, including Apple and Facebook, were hacked by the group believed to be responsible for this breach around the same time, so it’s possible the hackers had already gotten everything they wanted.
Microsoft later issued a statement, which acknowledges the 2013 hack but, again, says nothing about the vulnerability database:
“In February 2013, we commented on the discovery of malware, similar to that found by other companies at the time, on a small number of computers including some in our Mac business unit. Our investigation found no evidence of information being stolen and used in subsequent attacks.”
(Editor’s note: This post was updated with a statement from Microsoft.)