Today it is common to hear stories of hackers taking advantage of all kinds of vulnerabilities in software systems . Theft and hijacking of data, unauthorized transactions and a wide variety of illegal activities are known daily on the Internet – and many others are kept “secret”. However, what is not common is that the architects of these acts are the employees of the affected companies. The story that we will tell you today, which involves Microsoft , is one of the few exceptions.
In Bloomberg they echo a situation that caused headaches for Redmond in 2018. The story centers on Volodymyr Kvashuk , a former Microsoft employee assigned to a team of testers. His daily job was to look for failures in the company's e-commerce infrastructure , specifically in the payment systems. In case of finding a vulnerability, obviously he had to report it to his superiors.
These types of tasks are very common in the development of any software and, until now, there is nothing abnormal. The matter gets interesting because, in 2017, Kvashuk found a bug that would change his life forever. The bug allowed to generate Xbox gift card codes for free; this after making a fake transaction in the Microsoft Store. Even more incredible, the 25-digit codes were fully functional and could be used to purchase digital products or services. If you are an Xbox gamer, you know what we are talking about.
The normal thing, of course, would be for the employee to report his finding to Microsoft to give him a quick solution. Did you imagine what happened next? Yes, Kvashuk decided to keep the bug a secret to fill his pockets. The now former employee generated thousands of codes and sold them in an online store with attractive discounts of up to 55%. The sale was a success. He even created an application to automate the process; With just a few clicks he could indicate how many codes he needed, their value (30, 75 or 100) and the currency (dollars, euros, among others). Those of Redmond estimate that the treacherous robbery amounts to 10 million dollars , approximately.
Microsoft's suspicions and the fall Employee's
However, the anecdote takes an unexpected turn when some codes began to fail. Those affected did not approach Kvashuk to find a solution, but Microsoft's support service. However, and according to Bloomberg, in February 2018 the company was already aware of what was really happening. It turns out that a Microsoft fraud investigation team detected unusual activity in its metrics: purchases of digital products with gift card codes increased exponentially.
At first, Microsoft was suspicious that it was an external hacker doing his thing. However, shortly thereafter, they discovered that the architect was one of their employees from the clues he left on the testing tools. Kvashuk was left with no way out and was fired immediately . Fortunately, Microsoft did not press charges and even allowed him to live in a house acquired with the millions of stolen dollars.
Did you think this story would end with a happy ending for a criminal? Well, it's not like that. Although Microsoft preferred not to get involved in a direct legal dispute, they did report the event to authorities. They were not going to allow an illegal act to go unpunished. Kvashuk was arrested and sentenced to 9 years in prison – which he is serving to date – and, upon leaving prison in 2027, could be deported to Ukraine, his country of origin.
“Federal agents found a list of Kvashuk with future investments, written in Ukrainian. The list revealed that he was planning to buy, among other extravagances, a $ 4 million house on Maui, a million-dollar home in “the mountains” as well as “a yacht.” The title of the list was: 'How will I manage my next 10 million' “.
Moral? If you find a failure in a system of electronic commerce —or any other type—, better report it.