Microsoft knew that Chinese spies hacked people using Hotmail accounts for years — and didn’t tell any of the people who were hacked.
Today, Reuters confirmed that Microsoft had agreed to change its hush-up policy about state-sponsored hacks:
Microsoft Corp experts concluded several years ago that Chinese authorities had hacked into more than a thousand Hotmail email accounts, targeting international leaders of China’s Tibetan and Uighur minorities in particular — but it decided not to tell the victims, allowing the hackers to continue their campaign, according to former employees of the company.
On Wednesday, after a series of requests for comment from Reuters, Microsoft said it would change its policy and in future tell its email customers when it suspects there has been a government hacking attempt.
Instead of telling people what happened, Microsoft made them change their passwords without explaining that, oh yeah, you know, they were targets of international cyber-espionage:
After a vigorous internal debate in 2011 that reached Microsoft’s top security official, Scott Charney, and its then-general counsel and now president, Brad Smith, the company decided not to alert the users clearly that anything was amiss, the former employees said. Instead, it simply forced users to pick new passwords without disclosing the reason.
Facebook and Yahoo have updated their policies recently to tell users when they are the targets of state-sponsored attacks like this, and Google has had this policy since 2012. It’s unfortunate that Microsoft didn’t bother changing its policy until getting outed in this way.