Microsoft’s quiet response to database hack in 2013

Spies for governments around the globe and other hackers covet such information because it shows them how to create tools for electronic break-ins.

The Microsoft flaws were fixed likely within months of the hack, according to the former employees. Yet speaking out for the first time, these former employees, as well as US officials informed of the breach by Reuters, said it alarmed them because the hackers could have used the data at the time to mount attacks elsewhere, spreading their reach into government and corporate networks.

“Bad guys with inside access to that information would literally have a ‘skeleton key’ for hundreds of millions of computers around the world,” said Eric Rosenbach, who was US deputy assistant secretary of defence for cyber at the time.

Companies of all stripes now are ramping up efforts to find and fix bugs in their software amid a wave of damaging hacking attacks.

Many firms, including Microsoft, pay security researchers and hackers ‘bounties’ for information about flaws — increasing the flow of bug data and rendering efforts to secure the material more urgent.

In an email responding to questions, Microsoft said: “Our security teams actively monitor cyber threats to help us prioritise and take appropriate action to keep customers protected.”

Sometime after learning of the attack, Microsoft went back and looked at breaches of other organisations around then, the former employees said. It found no evidence that the stolen information had been used in those breaches.

Two current employees said the company stands by that assessment. Three of the former employees assert the study had too little data to be conclusive.

Microsoft tightened up security after the breach, the former employees said, walling the database off from the corporate network and requiring two authentications for access.