It was not just Yahoo among « Fortune 500 » companies who tried to keep a major data breach incident secret.
Reportedly, Microsoft had also suffered a data breach four and a half years ago (in 2013), when a « highly sophisticated hacking group » breached its bug-reporting and patch-tracking database, but the hack was never made public until today.
According to five former employees of the company, interviewed separately by Reuters, revealed that the breached database had been « poorly protected with access possible via little more than a password. »
This incident is believed to be the second known breach of such a corporate database after a critical zero-day vulnerability was discovered in Mozilla’s Bugzilla bug-tracking software in 2014.
As its name suggests, the bug-reporting and patch-tracking database for Windows contained information on critical and unpatched vulnerabilities in some of the most widely used software in the world, including Microsoft’s own Windows operating system.
The hack was believed to be carried out by a highly-skilled corporate espionage hacking group known by various names, including Morpho, Butterfly and Wild Neutron, who exploited a JAVA zero-day vulnerability to hack into Apple Mac computers of the Microsoft employees, « and then move to company networks. »
With such a database in hands, the so-called highly sophisticated hacking group could have developed zero-day exploits and other hacking tools to target systems worldwide.
There’s no better example than WannaCry ransomware attack to explain what a single zero-day vulnerability can do.
When Microsoft discovered the compromised database in earlier 2013, an alarm spread inside the company.
Following the concerns that hackers were using stolen vulnerabilities to conduct new attacks, the tech giant conducted a study to compare the timing of breaches with when the bugs had entered the database and when they were patched.
To read the original articel: https://thehackernews.com/2017/10/microsoft-bug-tracking-breach.html