Microsoft knew that Chinese spies hacked Hotmail users—and didn’t tell any of the people who were hacked, even though it knew for years.


Today, Reuters confirmed that Microsoft had agreed to change its hush-up policy about state-sponsored hacks:

Microsoft Corp experts concluded several years ago that Chinese authorities had hacked into more than a thousand Hotmail email accounts, targeting international leaders of China’s Tibetan and Uighur minorities in particular – but it decided not to tell the victims, allowing the hackers to continue their campaign, according to former employees of the company. On Wednesday, after a series of requests for comment from Reuters, Microsoft said it would change its policy and in future tell its email customers when it suspects there has been a government hacking attempt.


Instead of telling people what happened, Microsoft made them change their passwords without explaining that, oh yeah, you know, they were targets of international cyber-espionage:

After a vigorous internal debate in 2011 that reached Microsoft’s top security official, Scott Charney, and its then-general counsel and now president, Brad Smith, the company decided not to alert the users clearly that anything was amiss, the former employees said. Instead, it simply forced users to pick new passwords without disclosing the reason.

Facebook and Yahoo have updated their policies recently to tell users when they are the targets of state-sponsored attacks like this, and Google has had this policy since 2012. It’s unfortunate that Microsoft didn’t bother changing its policy until getting outed in this way.

Update 1:07: Microsoft disputes Reuters’ account of the story, and offered Gizmodo the following comment:

Our focus is on helping customers keep personal information secure and private. Our primary concern was ensuring that our customers quickly took practical steps to secure their accounts, including by forcing a password reset. We weighed several factors in responding to this incident, including the fact that neither Microsoft nor the U.S. Government were able to identify the source of the attacks, which did not come from any single country. We also considered the potential impact on any subsequent investigation and ongoing measures we were taking to prevent potential future attacks.


[Reuters]