Report: Microsoft didn’t warn users China hacked accounts – USA TODAY
SAN FRANCISCOÂ â Microsoft is disputing a Reuters report that itÂ became aware four years ago China likely had hacked into Hotmail accounts belonging to Tibetan and Uighur minority leaders, among others, but did not warn the victims their privacy was at risk.
Microsoft did make a change to its policies around this type of hackingÂ on Wednesday. The company hadÂ previously not explicitly warned users of possible state-sponsored hacking, which Google has done for several years and Facebook andÂ Yahoo recently began doing so.
On Wednesday, MicrosoftÂ announcedÂ thatÂ it will now notify customers if it believes their accountÂ has been targeted or compromised by an individual or group working on behalf of a country or nation state.
“Weâre taking this additional step of specifically letting you know if we have evidence that the attacker may be ‘state-sponsored’Â because it is likely that the attack could be more sophisticated or more sustained than attacks from cybercriminals and others,” Microsoft said in a blog post.
The change seems to have come in response to the revelations in the Reuters story.
According to unnamed former Microsoft employees quoted by the news service, the initial attacks on Hotmail users began in 2009. TheyÂ were only brought to light in 2011.
In May of that year, researchers atÂ security firm Trend Micro showed that the attack exploited a previously unpatched vulnerability in Microsoft’s free email program Hotmail.
The attacks seemed to be very targeted, seeking to access the email of specific individuals, Trend Micro said in aÂ blog postÂ in May 2011.
Reuters says China was likely behind the attacks and that Microsoft was aware of the fact.Â Microsoft disputes theÂ assertion.
Microsoft did quickly patchÂ the vulnerability.
However it did not warn the people whose email accounts had been targeted, who included top Uighur and Tibetan leaders in multiple countries in addition to diplomats, human rights lawyers and others, Reuters reported.
Tibetans and Uighurs are kept under close watch in China, which fears independence movements there.
According to the former employees interviewed by Reuters, Microsoft engaged in a “vigorous internal debate” over the issue but in the end decided only to force users to choose new passwords, without warning them why it was doing so.
Microsoft disputes Reuters’ assertion that there was vigorous internalÂ debate, the company said in an emailed statement to USA TODAY.
Once hackers have compromised an email account, it isÂ relatively easy toÂ access other portions of theÂ user’s computer and continue to spy on them despite changedÂ passwords.
According to the Microsoft employees, the company did not want to anger China.
Microsoft’s focus isÂ on helping customers keep personal information secure and private, said spokesman Dominic Carr.
“Our primary concern was ensuring that our customers quickly took practical steps to secure their accounts, including by forcing a password reset. We weighed several factors in responding to this incident, including the fact that neither Microsoft nor the U.S. Government were able to identify the source of the attacks, which did not come from any single country,” he said.
Microsoft also considered the potential impact on any subsequent investigation and ongoing measures it was taking to prevent potential future attacks, Carr said.
Seyit Tumturk, who is vice president of the World Uyghur Congress and whose account was compromised in the attacks, told Reuters the company had a moral responsible to warn users because people’s lives were at stake.
Follow USA TODAY technology reporter Elizabeth Weise @eweise