Microsoft to notify victims of state-backed hackers

After failing to alert the owners of more than 1,000 Hotmail accounts that they had been infiltrated by Chinese officials, Microsoft will begin notifying users when it believes they have been the target of a state-sponsored cyberattack.

“We’re taking this additional step of specifically letting you know if we have evidence that the attacker may be ‘state-sponsored’ because it is likely that the attack could be more sophisticated or more sustained than attacks from cybercriminals and others,” the company said in a blog post.


Microsoft joins other major tech firms — including Facebook and Twitter — who either have such policies or have sent users similar notifications.

The announcement follows revelations that the company discovered that Chinese authorities infiltrated over 1,000 of its Hotmail email accounts beginning in 2009, but did not tell users.

The omission effectively allowed the hackers to continue their campaign, former employees of the company told Reuters.

Victims included Uighur and Tibetan leaders in several countries, Japanese and African diplomats, human rights lawyers and others in sensitive positions within China, former employees told the news service.

The security company Trend Micro originally discovered the breach in 2011, prompting Microsoft to begin its own internal investigation. According to Reuters, debate over how to handle the intrusion reached Microsoft’s top security counsel, Scott Charney, and then-general counsel and current president Brad Smith.

The company decided not to alert users of the hack, instead simply forcing them to pick new passwords without revealing the reason.

Microsoft has declined to name China as the culprit.

"We weighed several factors in responding to this incident, including the fact that neither Microsoft nor the U.S. government were able to identify the source of the attacks, which did not come from any single country," the company said in a statement.

China has vigorously denied that it engages in any form of cyber espionage. The country has been under strict scrutiny after President Xi Jinping signed a controversial anti-hacking pledge with the U.S. in September.

The Chinese government is widely believed to be behind the infiltration of the Office of Personnel Management’s databases, which exposed personal information of more than 21 million federal employees and others. Beijing denies any involvement.

The country has also come under fire for its poor human rights record, coinciding with a crackdown on freedom of expression online under Xi. Bloggers and online activists are regularly detained for “spreading rumors online” and “picking quarrels,” the U.S. nongovernmental organization Freedom House reports.

Xi has called for a balance between order and freedom, insisting that the former leads to broader Internet freedoms.

"We should respect Internet users' rights to exchange their ideas and express their minds, and we should also build a good order in cyberspace in accordance with law as it will help protect the legitimate rights and interests of all Internet users,” Xi said speaking at China’s second World Internet Conference in Wuzhen earlier this month. 

At least one victim has already spoken out criticizing Microsoft’s failure to notify users of the hack.

"The Internet service providers and the email providers have an ethical and a moral responsibility to let the users know that they are being hacked," Seyit Tümtürk, vice president of the World Uyghur Congress, told Reuters. "We are talking in people's lives here."