SEATTLE -- When the first couple of new accounts popped up, the network administrators at Microsoft didn't pay too much attention. Most likely, someone new didn't set them up properly.
Then a few more accounts appeared. Then more. Within a few days, there were about two dozen new accounts. What's worse, whoever was creating them started trying to upgrade their network privileges, including permission to view high-level files and their more-sensitive information.
That, according to sources familiar with the case, is when Microsoft called in its computer security team.
Company officials believe the hacker had access for about 12 days, but only to the source code, or blueprints, for a single product that is still in the early stages of development. That contrasts to initial company statements that the hacker could have had access for up to five weeks.
But Microsoft officials admitted Monday that its computer experts were unable to track the infiltrator despite more than a week's worth of electronic cat-and-mouse through the company's network.
"We are continuing to work closely with law enforcement," said company spokesman Rick Miller. "Beyond that, we really can't say much more."
Miller acknowledged the hacker could have been in the system longer than 12 days but said the company is confident that high-level access occurred only between Oct. 14-25.
Even with low-level access, the hacker could have accessed corporate e-mail and other confidential information, Miller said.
Mark Rasch, a former Justice Department official and now vice president of the Reston, Va.-based computer security firm Global Integrity, said Microsoft's lack of success is common among the industry.
"Only the dumb ones get caught," Rasch said. "Microsoft's experience is not atypical, especially if the bad guy was smart."
Sources close to the case, who did not wish to be identified, told The Associated Press that the company managed to learn of the infiltration early.
While the hacker was able to create new accounts for himself, many computer networks build in that kind of flexibility so that midlevel managers can create accounts for new workers and teams.
"It's tough because once the hacker creates the accounts, he can look like a normal person logging in," Rasch said. "So which accounts do you monitor? There's always a chance you'd miss one."
After the network administrators reported the problem to Microsoft security on Oct. 14, sources said the company monitored the various accounts as the hacker tried to upgrade his security clearances. The hacker did manage to access the source code to one product, the company said.
Microsoft officials would not say whether the product had anything to do with Microsoft.NET, the company's new strategy for products that work over the Internet instead of on a single computer.
"Theoretically, all of our products will be .NET in three to five years," Miller said. "But we can say for certain that it was not one of our core products."
The company then tried to track the intruder on its own, sources said, but had little luck determining where his commands were coming from. Hackers often use other computers across the Internet, often ones they have previously broken into, to "bounce" their data around to confuse trackers.
"There's always a tradeoff between shutting them down and continuing to let them go while you investigate," Rasch said.
After law enforcement joined the investigation on Oct. 26, sources said there was little improvement. Microsoft was forced to shut down all the questionable accounts and barred outside access to the network for a time to stop the hacker from accessing more confidential data.
The company believes that its systems are now secure again, but would not confirm how the breach took place in the first place.
Media reports have said the hacker used a "Trojan" a tool masquerading as an innocent file or program, usually sent through e-mail that requires the recipient to unknowingly click on it.
