Report: Microsoft didn’t warn users China hacked accounts
SAN FRANCISCO — Microsoft is disputing a Reuters report that it became aware four years ago China likely had hacked into Hotmail accounts belonging to Tibetan and Uighur minority leaders, among others, but did not warn the victims their privacy was at risk.
Microsoft did make a change to its policies around this type of hacking on Wednesday. The company had previously not explicitly warned users of possible state-sponsored hacking, which Google has done for several years and Facebook and Yahoo recently began doing so.
On Wednesday, Microsoft announced that it will now notify customers if it believes their account has been targeted or compromised by an individual or group working on behalf of a country or nation state.
“We’re taking this additional step of specifically letting you know if we have evidence that the attacker may be ‘state-sponsored’ because it is likely that the attack could be more sophisticated or more sustained than attacks from cybercriminals and others,” Microsoft said in a blog post.
The change seems to have come in response to the revelations in the Reuters story.
According to unnamed former Microsoft employees quoted by the news service, the initial attacks on Hotmail users began in 2009. They were only brought to light in 2011.
In May of that year, researchers at security firm Trend Micro showed that the attack exploited a previously unpatched vulnerability in Microsoft’s free email program Hotmail.
The attacks seemed to be very targeted, seeking to access the email of specific individuals, Trend Micro said in a blog post in May 2011.
Reuters says China was likely behind the attacks and that Microsoft was aware of the fact. Microsoft disputes the assertion.
Microsoft did quickly patch the vulnerability.
However it did not warn the people whose email accounts had been targeted, who included top Uighur and Tibetan leaders in multiple countries in addition to diplomats, human rights lawyers and others, Reuters reported.
Tibetans and Uighurs are kept under close watch in China, which fears independence movements there.
According to the former employees interviewed by Reuters, Microsoft engaged in a “vigorous internal debate” over the issue but in the end decided only to force users to choose new passwords, without warning them why it was doing so.
Microsoft disputes Reuters’ assertion that there was vigorous internal debate, the company said in an emailed statement to USA TODAY.
Once hackers have compromised an email account, it is relatively easy to access other portions of the user’s computer and continue to spy on them despite changed passwords.
According to the Microsoft employees, the company did not want to anger China.
Microsoft’s focus is on helping customers keep personal information secure and private, said spokesman Dominic Carr.
“Our primary concern was ensuring that our customers quickly took practical steps to secure their accounts, including by forcing a password reset. We weighed several factors in responding to this incident, including the fact that neither Microsoft nor the U.S. Government were able to identify the source of the attacks, which did not come from any single country,” he said.
Microsoft also considered the potential impact on any subsequent investigation and ongoing measures it was taking to prevent potential future attacks, Carr said.
Seyit Tumturk, who is vice president of the World Uyghur Congress and whose account was compromised in the attacks, told Reuters the company had a moral responsible to warn users because people’s lives were at stake.