Microsoft on Thursday announced that it will alert users of its consumer cloud services—Outlook.com, OneDrive and so on—when it suspects that governments are trying to hack into their accounts.
Microsoft’s policy change was first reported by Reuters, which had confronted the software giant about not telling users when governments hacked their accounts. But Microsoft says that neither it nor the U.S. government were able to determine who was behind the 2009 electronic attack noted below.
“We’re taking this additional step of specifically letting you know if we have evidence that the attacker may be ‘state-sponsored’ because it is likely that the attack could be more sophisticated or more sustained than attacks from cybercriminals and others,” Microsoft corporate vice president for trustworthy computing Scott Charney explains. “The evidence we collect in any active investigation may be sensitive, so we do not plan on providing detailed or specific information about the attackers or their methods. But when the evidence reasonably suggests the attacker is ‘state sponsored,’ we will say so.”
This is a bold new step, even for a company that has been pushing back against governmental intrusions every more publicly over the past year or more. And in taking this step, Microsoft has once again chosen its customers over what it sees as illegal behavior on the parts of the world’s governments.
A Reuters report claims that Microsoft had obtained evidence of a Chinese governmental hack into over one thousand Hotmail accounts, and decided not to tell the victims, most of whom were associated with the leadership of China’s Tibetan and Uighur minorities. Though it has denied this report, Microsoft decided to change its policy about governmental intrusions. But some other technology companies already issue such warnings. For example, Google has done so since 2012.
The China hacking incident dates back to 2009, but Microsoft didn’t uncover the source until 2011, when Trend Micro alerted it to a flaw in the Hotmail web site that allowed hackers to forward emails from specific accounts. Microsoft patched the service before Trend Micro announced the hack.
“We weighed several factors in responding to this incident, including the fact that neither Microsoft nor the U.S. government were [initially] able to identify the source of the attacks, which did not come from any single country,” a Microsoft statement about the Chinese hacks notes. “We also considered the potential impact on any subsequent investigation and ongoing measures we were taking to prevent potential future attacks.”
Microsoft did alert the impact users about an intrusion and required them to reset their passwords. But the firm didn’t tell them that the intrusion was carried out by the Chinese government, because it was unable to determine the source, it says.
“Our primary concern was ensuring that our customers quickly took practical steps to secure their accounts, including by forcing a password reset,” Microsoft explains.
As you might expect, China is not happy to be named in Reuters’ report.
“China is a resolute defender of cyber-security and strongly opposes any forms of cyber-attacks,” a statement by the China Foreign Ministry claims.
Microsoft also provided some information about how users can secure their Microsoft accounts. This includes enabling two-step verification, using a strong password that is changed regularly, monitoring for suspicious activity, paying attention when opening emails, and ensuring that your PC is up-to-date with anti-virus and other security software.
UPDATE: This article has been updated to reflect the fact that Microsoft still does not know who was responsible for the 2009 electronic attack against people opposed to the Chinese government’s policies.