WASHINGTON: The hack, which reportedly occurred several years ago, targeted international leaders of China’s Tibetan and Uighur minorities. However, Microsoft decided not to tell the victims, allowing the hackers to continue their campaign, former employees told media.

The first warning of the breach reportedly came in May 2011, when cyber security firm Trend Micro announced it had found an email sent to someone in Taiwan that contained a miniature computer programme.

The programme took advantage of a previously undetected flaw in Microsoft’s own web pages to secretly forward copies of all of a recipient’s incoming mail to an account controlled by the attacker. Trend Micro identified more than a thousand victims, but no direct link was immediately made with the Chinese authorities.

Microsoft patched the vulnerability before the security company announced its findings publicly. Later that year, Microsoft launched its own investigation into the incident, finding that some interception had begun in July 2009, and had compromised the emails of top Uighur and Tibetan leaders in multiple countries – as well as Japanese and African diplomats, human rights lawyers and others in sensitive positions inside China.

Some of the attacks had come from a Chinese network known as AS4808, which has been associated with major spying campaigns.

After a vigorous internal debate, the company decided not to alert users that anything was amiss. Instead, it simply forced users to pick new passwords without disclosing the reason, claiming this was the fastest way to restore security to the accounts.

He added that the company does not plan on providing detailed or specific information about the attackers or their methods, because the evidence it collects in any active investigation may be sensitive. However, when the evidence reasonably suggests the attacker is “state sponsored”, it will say so. The move could put Microsoft at odds with UK government proposals to limit what technology firms can say about surveillance.

The government’s draft Investigatory Powers Bill (also known as the “Snooper’s Charter”) would make it illegal for firms to tell customers they were being targeted if the company did not obtain official permission to do so.

Earlier this week, it emerged that staff at these firms could face up to two years in prison if they tip off customers that they are under surveillance by police or the security services.