Microsoft will warn email and OneDrive users if it detects apparent attempts by governments to hack into their accounts.
The rollout of the alert system on Wednesday follows reports Redmond had failed to warn Hotmail users targeted by Chinese hackers, according to former employees.
Reuters reports Microsoft was hacked in 2011 but failed to notify affected users, partly to avoid antagonising China, the suspected culprit. Targeted users were instead advised to pick new passwords without any particular reason being supplied at the time.
Google, Facebook, Twitter and Yahoo already offer similar government hacker alert systems to the one just introduced by Microsoft. Alerts are far from rare. Google, for example, reportedly tells tens of thousands of users every few months that they’ve been targeted by foreign spooks.
Redmond’s alerting system has raised issues about US data breach disclosure laws. “If China had stolen Hotmail users' passwords, Microsoft would have had to tell users,” Christopher Soghoian, a principal technologist at the ACLU, stated in an update to his personal Twitter account But *private emails* are not considered PII [personally identifiable information].”
Soghoian went on to take issue with Microsoft’s advice about changing passwords frequently. Current best practice, advocated by most but not all security pros, is to use strong passwords together with a password manager. Changing passwords frequently tends to encourage the use of easier to remember passwords, which are easier for hackers of all stripes to guess. ®