Back in 2011, the first public signals that over 1,000 Uighur and Tibetan leaders, and others with sensitive positions inside China, had their Hotmail accounts compromised by attacks coming from both within and beyond China. Further Microsoft investigation revealed that the attacks had started as early as 2009, and included Japanese and African diplomats as well as some human rights lawyers inside China.
According to a report in Reuters, at the time Microsoft, after some “vigorous internal debate,” decided not to alert these users that there was a problem. Instead the company just forced those users to reset their passwords, without offering any explanation as to why. Other companies like Yahoo and Facebook have been issuing generic warnings about hacking where the principal suspect was a government for years, and since 2012 Google, whose own servers in China were severely compromised, has been issuing explicit warnings of state sponsored hacking attempts on user accounts.
After a series of requests for more information by Reuters, Microsoft has taken steps to change its policy, as outlined in a Microsoft on the Issues blog post. Moving forward, Microsoft plans to begin explicitly warning users if their accounts, including Outlook.com and OneDrive accounts, have been hacked:
We already notify users if we believe their accounts have been targeted or compromised by a third party, and we provide guidance on measures users can take to keep their accounts secure. We’re taking this additional step of specifically letting you know if we have evidence that the attacker may be “state-sponsored” because it is likely that the attack could be more sophisticated or more sustained than attacks from cybercriminals and others. These notifications do not mean that Microsoft’s own systems have in any way been compromised.
If you receive one of these notifications it doesn’t necessarily mean that your account has been compromised, but it does mean we have evidence your account has been targeted, and it’s very important you take additional measures to keep your account secure. You should also make sure your computer and other devices don’t not have viruses or malware installed, and that all your software is up to date.
The blog post goes on to remind users of important steps they should take to help to prevent hacking, including turning on 2-step verification, using a strong password and changing it often, keeping your computer up to date and running a anti-virus/malware program, and watching for suspicious activity and being careful of suspicious emails and website.
Reuters interviewed a number of affected diplomats and media members whose accounts were broken into, and although some of them remembered the requests to change their passwords, none of them had any idea that anyone, let alone agents of the Chinese government, had accessed their mail.