Updated on Jan. 1 based on Microsoft’s response to the Reuters report.
Hotmail users in China were the target of a concerted hacking campaign by China that lasted two years. And Microsoft kept quiet about it, according to Reuters.
The campaign apparently focused on Tibetan and Uighur leaders who used Microsoft’s Hotmail service. Reuters revealed that Microsoft had not informed its users in 2011 that they were the targets of a hacking campaign. At the time, Microsoft—likely afraid of angering the Chinese government—just forced affected users to change their passwords, instead of telling the Hotmail users they were targets of a hack.
This probably wasn’t a good idea, because the hackers were inside some of the targeted computers by then, former Microsoft employees told Reuters, so they would have seen the new passwords and continued to access the accounts.
After the report, Microsoft said it will reverse its stance and start warning users if it thinks a state is trying to hack into those accounts. Microsoft didn’t say that the Hotmail hacking campaign was behind its policy shift and made no mention of Chinese hacking in its announcement. It also said it hadn’t traced the Hotmail hackers to a single country.
Speaking to Quartz, a Microsoft spokesman disputed the Reuters report and its use of anonymous former employees. “We weighed several factors in responding to this incident, including the fact that neither Microsoft nor the US government were able to identify the source of the attacks,” he said. “Our primary concern was ensuring that our customers quickly took practical steps to secure their accounts, including by forcing a password reset.”
Warning users that they’re the targets of a government hacking attack is in vogue among tech companies. Twitter issued alerts to some users on Dec. 11 that a government was probably trying to get into their accounts, although it doesn’t appear to have a public policy outlining the warning system. Yahoo did the same 10 days later.
It’s a trend that may have been sparked by Chinese cyber espionage. Google didn’t officially link its alert service with Chinese hacking in its announcement, but it came after years of public spats with Chinese authorities over attacks that the tech company claimed originated from the People’s Republic.