You can say lots of things about hackers — scum of the earth, trash, evil and several other words that modesty prevents being typed, but you can’t accuse them of not being creative. It turns out they broke into Microsoft Corp.’s bug tracking database, which tracks vulnerabilities in Microsoft’s products, way back in 2013.

The alleged hack, first exposed by Reuters Monday, saw the bad guys access Microsoft’s bug tracking database and steal information relating to vulnerabilities that were exploited in later attacks. Where the story gets interesting, however, is that Microsoft never disclosed the hack, ostensibly because an internal review concluded that exploits accessed by the hackers could have been discovered elsewhere on the internet.

The fact that the vulnerabilities may have been detailed elsewhere online at some point may be true. But the concern with Microsoft’s lack of disclosure about the now-four-year-old hack lies with the fact that the bug tracking database includes automated reports Microsoft receives when its software crashes. That’s a veritable treasure trove for serious hackers looking to find new ways to exploit Windows users.

Not only that, it appears that Microsoft also didn’t disclose the hack to the software makers that triggered many of those reports as well. That means the hackers had better insider information than the likes of Adobe Systems Inc., Google LLC and others.

The unnamed group behind the hack is claimed in the report to be the same one behind the 2013 hacks of Apple Inc., Facebook Inc. and Twitter Inc. All three of those hacks shared a common trait: The hackers gained access using a zero-day, or undiscovered, attack that took advantage of known vulnerability in Java software.

After initially only saying in a statement to Reuters that “Our security teams actively monitor cyber threats to help us prioritize and take appropriate action to keep customers protected,” Microsoft subsequently sort of confessed to the hack having taken place. However, it denied anything was stolen: “In February 2013, we commented on the discovery of malware, similar to that found by other companies at the time, on a small number of computers including some in our Mac business unit. Our investigation found no evidence of information being stolen and used in subsequent attacks.”

This might be only a historical footnote four years on, but the fact that Microsoft didn’t clearly publicly disclose the hack at the time raises concerns, again, about a corporate culture of secrecy that puts its shareholder value over the well-being of its customers.

Image: Wolf Lambert/Wikimedia Commons