Microsoft has stated that it will start to warn users when it suspects that governments have been trying to hack into its accounts in services like Outlook.com email.
This was revealed days after the news agency Reuters asked Microsoft Corp why they had not notified victims of a hack begun in 2009 and discovered in 2011, which targeted over 1,000 leaders and activists of China’s Tibetana dn Uighur minorities, and also African diplomats and human rights activists.
Though Microsoft officially said they could not pinpoint the source of the 2011 hack, two former employees of the company told media that Microsoft’s experts had concluded that the hack was perpetrated by the Chinese authorities.
This directly contradicts Microsoft’s statement that neither it or the US government could identify the hack and that the attacks came from more than one country. Instead of telling the victims of this hack what had happened, Microsoft told them only to reset their passwords.
The Microsoft View On Hacking in 2015
Years after this happened, Microsoft released a statement to Reuters, changing their attitude toward email hacking, and promising to do more for their customers.
They said in their statement:
“As the threat landscape has evolved our approach has too, and we’ll now go beyond notification and guidance to specify if we reasonably believe the attacker is ‘state-sponsored’.”
Microsoft also said on their blog:
A key part of our work is identifying and preventing unauthorized access to your Microsoft Account (including Outlook.com email and OneDrive) by anyone other than you. We’re taking an additional step today. We will now notify you if we believe your account has been targeted or compromised by an individual or group working on behalf of a nation state.
Impact Of The New Microsoft Hacking Measures
These measure from Microsoft are extremely welcome — especially as the company failed to alert its affected customers of the 2011 security breach. However, the effectiveness of the new developments may be compromised for users based in countries which legally allow state-sponsored hacking.
In the US, Microsoft has been fighting US authorities’ demands that it hand over the Outlook.com email correspondence of an American customer whose data is stored offshore in an Irish data center.
In the UK, Microsoft’s new measures could run into problems if the Investigatory Powers Bill, currently still a draft, is passed. This bill, also known as “the snoopers’ charter”, would make it illegal for companies to tell customers they were being targeted by the UK government unless they had permission from the authorities.
Microsoft has refused to comment on this conflict of interest with its operations in the UK; only time will tell if this causes Microsoft problems with UK law.
Though the changes from Microsoft Corp are extremely welcome, it is likely that they could frequently be overruled by governments who are using hacking as one of their intelligence gathering and surveillance methods.
Advice From Microsoft On Email Hacking
Microsoft in the same blog post announcing the change that they will now notify users if they believe that they have become the target or compromise by an group working for a nation state, have provided some helpful steps users can take to help secure their emails:
- Turn On Two-Step Verification: This way, even if a hacker guesses your password, if they're on a device other than your computer Microsoft will know, and the hacker will be asked for an extra security code. You can select the code from a special group (which can work as an app on your phone) and send it to all your email addresses or via SMS.
- Make Sure Your Password is Strong and Change it Regularly: This makes it harder to hack your account. Mixes of letters, numbers and symbols work well; using letters which don't make a complete word is also advisable, and you should change your password often.
- Always Watch For Suspicious Activity On Your Account: The "Recent Activity" page in your Microsoft Account will let know all the recent sign-ins and any changes made to your account. It can also show you which devices have been used to sign in. You can use this to let Microsoft know if any of the listed sign-ins were not you.
- Be Careful of Suspicious websites and Emails: Don't open emails from senders you don't recognize, or open or download email attachments from these senders. Be aware of the risks when downloading apps, and do so only from trusted sources; also remain careful when downloading files from the internet.
- Keep Your Computer Software Up To Date and Run Anti-Virus Programs: Always make sure that your computer software, including your web browsers, are fully up to date, and install anti-virus software on your computer. Keep the anti-virus program up to date as well, and check it is working. For Windows PCs, you should turn on Windows Update to keep your computer upgrading: Windows 8.1 and Windows 10 both include free anti-malware software, but you should still check its functionality regularly.
Microsoft Corp has then come a long way since its failure to alert customers to the 2011 hack, and these new developments show the company becoming more aware of the security issues faced by its users, and also more tuned into public opinion.
The new measures taken by Microsoft remain subject to the policies of the governments that rule its many users; some are therefore still concerned about their use of Microsoft products. However, this will still be welcome news to many who are concerned about their privacy and the security of their communication when using Outlook.com email and other Microsoft services, and shows the company taking a stand on the issue of nation-state hacking.