Update: Microsoft Denies Report It Didn’t Notify Victims of Chinese State Hotmail Hack

The company will now join Google, Facebook in alerting victims of suspected state-sponsored hacks.

Update: Microsoft Denies Report It Didn’t Notify Victims of Chinese State Hotmail Hack
[Image: Everett Collection via Shutterstock]

Microsoft is disputing a report that it failed to notify more than 1,000 users that they were victims of a hacking attack that Reuters says the company’s own investigators determined was sponsored by the Chinese government.


The victims included activists from China’s Tibetan and Uighur minority groups who used Microsoft’s Hotmail email service from 2009 to 2011, according to Reuters. The company said in an email to Fast Company that it never concluded the Chinese government was to blame.

The attackers exploited a since-fixed flaw in Hotmail’s security to obtain copies of the victims’ emails, according to a previous report describing the malware behind the hack. Microsoft says it required the affected customers to reset their passwords and warned them it had detected suspicious activities tied to their accounts.

“We weighed several factors in responding to this incident, including the fact that neither Microsoft nor the U.S. Government were able to identify the source of the attacks, which did not come from any single country,” a Microsoft spokesperson wrote. “We also considered the potential impact on any subsequent investigation and ongoing measures we were taking to prevent potential future attacks.”

Still, Microsoft said on Wednesday that it will start alerting users if it believes they’re victims of state-sponsored hacks–a policy that has already been adopted by Facebook, Google, and Yahoo.

“We will now notify you if we believe your account has been targeted or compromised by an individual or group working on behalf of a nation state,” the company said in a statement.

In the China case, two former Microsoft employees told Reuters that the company required affected users to change their passwords, but didn’t disclose that they were victims of a state attack. Some of the victims believed the password-change prompts were routine security measures, according to the report.


A Chinese Foreign Ministry spokesperson expressed skepticism about the report, saying at a daily news briefing that the government is “a resolute defender of cyber security and strongly opposes any forms of cyberattacks.”

About the author

Steven Melendez is an independent journalist living in New Orleans.