Microsoft building
Microsoft's bug tracking database was hacked in 2013 and the company never disclosed it. efes/Wikimedia Commons

In 2013, Microsoft’s internal database used to track bugs and other flaws was breached by a group of sophisticated hackers. The company never fully disclosed the extent of that hack despite the potential risks it posed to users, Reuters reported.

Five former employees confirmed to Reuters that the database, which contained details about critical vulnerabilities that the company had yet to patch in Microsoft products including its Windows operating system, was hacked and kept secret.

The attack was particularly troublesome, not simply because the details were not publicly disclosed but because the hackers who carried out the breach were in possession of information about vulnerabilities that plagued millions of machines around the world.

While it is believed that in most cases the vulnerabilities listed in the database were patched within a matter of months after the hack, that would still leave the threat actors plenty of time to execute a widespread attack. Since many people and organizations do not update their machines as soon as a patch is made available, the exploits likely worked well after Microsoft issued its patches.

Microsoft did not fully hide the fact that it had been hacked—the company issued a statement shortly after the incident confirming that it experienced a breach.

"As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion. We found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected, and our investigation is ongoing," the company said at the time.

According to the accounts provided from former employees of the tech giant, the statement did not touch on the severity of the breach or the potential implications of unpatched vulnerabilities being stolen and exploited.

While Microsoft kept mum publicly about the extent of the hack, internally the company was reportedly panicking after it was discovered the bug tracking database was poorly secured and protected by just a password.

The company tracked hacks that took place after the breach to see if the stolen bugs and exploits were used to carry out the attacks. When the company concluded it was possible the subsequent hacks could have been the result of information stolen elsewhere, the company decided not to disclose the extent of the breach.

It is believed the breach, which came shortly after other major tech companies experienced similar intrusions, was carried out by a hacking collective known as Wild Neutron—sometimes also referred to as Morpho or Butterfly.

The hackers are considered one of the most sophisticated and dangerous groups in operation, and continues to be active today. Security experts are unsure if the group is supported by a national government or operate independently of any backing.

Microsoft’s failure to disclose its breach in 2013 did not stop the company from scolding the United States National Security agency for experiencing a similar security incident earlier this year.

A tool developed by the National Security Agency was stolen by a hacking group known as the Shadow Brokers and used to spread the WannaCry ransomware attack that infected more than one million unpatched computer systems around the world.

Microsoft said after the incident that the hoarding of exploits just puts users at risk when the vulnerabilities aren’t disclosed — especially when that information is stolen or leaked and made available for hackers to use freely with no protections in place.

“An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” Brad Smith, Microsoft’s president and chief legal officer said at the time. “The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.”