Microsoft to now join Google, Facebook to notify email users of suspected state-sponsored attacks
Recently, Reuters had reported that Microsoft had failed to notify more than 1,000 users that they were victims of a hacking attack. Reuters said that the Microsoft’s own former employees had determined that the hack was sponsored by the Chinese government. However, the Redmond giant is disputing this report.
According to Reuters, the victims included activists from China’s Tibetan and Uighur minorities in particular who used Microsoft’s Hotmail email service from 2009 to 2011. In an email to Fast Company, the company said that it never concluded the Chinese government was to blame.
The attackers exploited a since-fixed flaw in Hotmail’s security to obtain copies of the victims’ emails, according to a previous report explaining the malware behind the hack, the. Microsoft says it required the affected users to reset their passwords and cautioned them it had identified suspicious activities tied to their accounts.
In a media statement, a Microsoft representative said, “Our focus is on helping customers keep personal information secure and private. Our primary concern was ensuring that our customers quickly took practical steps to secure their accounts, including by forcing a password reset. We weighed several factors in responding to this incident, including the fact that neither Microsoft nor the U.S. government were able to identify the source of the attacks, which did not come from any single country. We also considered the potential impact on any subsequent investigation and ongoing measures we were taking to prevent potential future attacks.”
On Wednesday, Microsoft said it would change its policy and in future inform its email customers when it suspects there has been a government hacking attempt—a policy that has already been adopted by Facebook, Google, and Yahoo.
“We will now notify you if we believe your account has been targeted or compromised by an individual or group working on behalf of a nation state,” the company said in a statement.
In the China case, two former Microsoft employees told Reuters that the company required affected users to change their passwords, but didn’t disclose that they were victims of a state attack. Some of the victims believed the password-change prompts were routine security measures, according to the report.
In announcing the new policy, Microsoft said: “As the threat landscape has evolved our approach has too, and we’ll now go beyond notification and guidance to specify if we reasonably believe the attacker is `state-sponsored.'”
According to the former employees, the Hotmail attacks targeted diplomats, human rights lawyers, media workers, and others in sensitive positions inside China.
Security experts and online free-speech activists have been calling for more direct warnings since a long time, saying that they speed up behavioural changes from email users.
The Chinese government “is a resolute defender of cyber security and strongly opposes any forms of cyber attacks”, Chinese Foreign Ministry spokesman Lu Kang said, adding that it punishes any offenders in accordance with the law.
“I must say that if the relevant party has some real and conclusive evidence, then it can carry out mutually beneficial cooperation with China in a constructive way in accordance with the existing channels,” Lu said at a daily news briefing.
“But if there’s the frequent spreading of unfounded rumors, it will, in fact, be of no benefit to solving the problem, enhancing mutual trust and promoting cyber security.”