Yes, apparently Microsoft knows when your account is hacked though that might not be made aware immediately. And yes, it will tell you next time hackers will try to spy on your email. But it hasn’t done so in the recent past for a variety of reasons, and one is the fact that the company is afraid of the Chinese government.
A detailed report from Reuters reveals that Microsoft failed to inform victims of Hotmail hacks in 2011 when they were discovered. Instead, the company investigated the matter internally, and then forced password resets on the affected email accounts.
Security firm Trend Micro discovered in May that a computer program was used by an organization to tap into Hotmail traffic. The program took advantage of a previously unknown error to rout email traffic to a third-party, without the target knowing someone else was able to read all incoming email. Microsoft patched the bug before being disclosed.
Microsoft found out that some email interceptions began in July 2009, and that some of the attacks originated from a Chinese network identified as AS4808, which was associated with major spying campaigns targeting the U.S. But similar spying was performed by other governments, the report said.
“We weighed several factors in responding to this incident, including the fact that neither Microsoft nor the U.S. government were able to identify the source of the attacks, which did not come from any single country,” Microsoft said. “We also considered the potential impact on any subsequent investigation and ongoing measures we were taking to prevent potential future attacks.”
The compromised Hotmail accounts belonged to top Uighur and Tibetan leaders in multiple countries, Japanese and African diplomats, human rights lawyers and other people in sensitive positions.
In the future, Microsoft will notify users about such trespassing of personal data. “As the threat landscape has evolved our approach has too, and we’ll now go beyond notification and guidance to specify if we reasonably believe the attacker is `state-sponsored,'” the company said.
Reuters goes on to explain that Microsoft decided in 2011 not to issue explicit warnings for fear of angering the Chinese government – according to two people familiar with the investigation. Microsoft doesn’t address that allegation, but a person familiar with the thinking of the top executives that investigated the security breach says that fear of Chinese reprisals did play a role in the final decision.
Meanwhile, the company said its primary concern was restoring security to the accounts as fast as possible – hence the password resets. But it’s not clear whether this security procedure was enough to restore the safety of the affected accounts. Former Microsoft employees said it was likely the hackers obtained access to the computers of their targets, so the passwords resets would still have been visible to them.
The Cyberspace Administration of China did not comment on the matter, but the Chinese Foreign Ministry did sort of deny involvement, saying that China is a strong defender of cyber security and that it opposes any such attacks.