Microsoft users will now be notified if a state-sponsored attacker tries to break into their accounts, the company said in a blog post. The announcement comes the same day as a Reuters report that Microsoft did not warn Hotmail users their email accounts had been accessed by a group associated with the Chinese government.
Users will be notified if services they access through Microsoft Account logins, including Outlook.com and OneDrive, have been breached by a government organization or hackers working for governments. The company already notifies users if an unauthorized third-party tries to access their accounts, but Scott Charney, Microsoft corporate vice president of trustworthy computing, wrote that state-sponsored attacks “could be more sophisticated or sustained than attacks from cybercriminals.”
Getting a notification does not mean an account has been hacked, but that Microsoft has evidence it has been targeted by state-sponsored attackers and extra steps, like turning on two-factor authentication and changing passwords, need to be taken by users.
Charney did not specifically mention the Reuters article in his post, but a Microsoft representative told the news agency that it plans to change its policy to notify email users of state-sponsored attacks. Charney did state, however, that the new notifications “do not mean that Microsoft’s own systems have in any way been compromised.”
The email attacks covered by the report were first discovered by security software maker Trend Micro in May 2011 and found to have begun in July 2009. During that time, email accounts from international leaders of the Uighur and Tibetan communities (two Chinese minorities under heavy surveillance by the government), African and Japanese diplomats, and human rights lawyers were breached.
Microsoft forced targeted users to reset their passwords, but did not give them more details about the attack. Two former Microsoft employees told Reuters that the company did not give explicit warnings in part because of the risk of reprisals from the Chinese government.
In a media statement, a Microsoft representative said “Our focus is on helping customers keep personal information secure and private. Our primary concern was ensuring that our customers quickly took practical steps to secure their accounts, including by forcing a password reset. We weighed several factors in responding to this incident, including the fact that neither Microsoft nor the U.S. government were able to identify the source of the attacks, which did not come from any single country. We also considered the potential impact on any subsequent investigation and ongoing measures we were taking to prevent potential future attacks.”