A group hacked high-profile technology companies in 2013 using a security flaw in Java on Apple Mac computers.
Microsoft was one of the companies hit, and its bug-reporting and patch-tracking database for Windows was breached, reported Reuters.
Details of the attack were revealed after five former security employees came forward to reveal that sensitive data was stolen during the attack.
When Microsoft discovered the database was compromised, alarm spread inside the company. The five employees said the database was poorly protected and access was possible via little more than a password.
This raised concerns that hackers were using the stolen data to conduct further attacks elsewhere.
Microsoft then conducted a study to compare the timing of breaches with when the flaws had entered the database, and when they were patched.
The study found that bugs in the database were used in attacks, but it was argued the hackers could have obtained the information elsewhere.
As patches had already been released to customers, this helped justify Microsoft’s decision not to disclose the breach.
Three of the former security employees told Reuters the study did not rule out stolen bugs being used in future attacks, and they don’t believe Microsoft did a thorough enough investigation.