Microsoft failed to tell users of its free webmail service, Hotmail, that their private communications had been compromised, after discovering that Chinese authorities had hacked into more than 1,000 accounts.
The hack, which reportedly occurred several years ago, targeted international leaders of China’s Tibetan and Uighur minorities. However, Microsoft decided not to tell the victims, allowing the hackers to continue their campaign, former employees told Reuters .
The first warning of the breach reportedly came in May 2011, when cyber security firm Trend Micro announced it had found an email sent to someone in Taiwan that contained a miniature computer programme.
The programme took advantage of a previously undetected flaw in Microsoft's own web pages to secretly forward copies of all of a recipient's incoming mail to an account controlled by the attacker.
Trend Micro identified more than a thousand victims, but no direct link was immediately made with the Chinese authorities. Microsoft patched the vulnerability before the security company announced its findings publicly.
Later that year, Microsoft launched its own investigation into the incident, finding that some interception had begun in July 2009, and had compromised the emails of top Uighur and Tibetan leaders in multiple countries - as well as Japanese and African diplomats, human rights lawyers and others in sensitive positions inside China.
Some of the attacks had come from a Chinese network known as AS4808, which has been associated with major spying campaigns.
After a vigorous internal debate, the company decided not to alert users that anything was amiss. Instead, it simply forced users to pick new passwords without disclosing the reason, claiming this was the fastest way to restore security to the accounts.
"We weighed several factors in responding to this incident, including the fact that neither Microsoft nor the US government were able to identify the source of the attacks," Microsoft said in a statement.
"Our primary concern was ensuring that our customers quickly took practical steps to secure their accounts, including by forcing a password reset."
Other technology providers like Google, Facebook, Twitter and Yahoo make a point of notifying users about suspected state-sponsored hacking. However, Microsoft has previously rejected the idea.
The company has now changed its policy, announcing that in future it will tell its email customers when it suspects there has been a government hacking attempt.
"We’re taking this additional step of specifically letting you know if we have evidence that the attacker may be 'state-sponsored' because it is likely that the attack could be more sophisticated or more sustained than attacks from cybercriminals and others," said Scott Charney, Microsoft's Corporate Vice President, in a blog post .
"If you receive one of these notifications it doesn't necessarily mean that your account has been compromised, but it does mean we have evidence your account has been targeted, and it’s very important you take additional measures to keep your account secure."
He added that the company does not plan on providing detailed or specific information about the attackers or their methods, because the evidence it collects in any active investigation may be sensitive.
However, when the evidence reasonably suggests the attacker is "state sponsored", it will say so.
The move could put Microsoft at odds with UK government proposals to limit what technology firms can say about surveillance.
The government's draft Investigatory Powers Bill ( also known as the "Snooper's Charter" ) would make it illegal for firms to tell customers they were being targeted if the company did not obtain official permission to do so.
Earlier this week it emerged that staff at these firms could face up to two years in prison if they tip off customers that they are under surveillance by police or the security services.