Hong Kong —

State-backed Chinese hackers foiled Microsoft's cloud-based security in hacking the email accounts of officials at multiple U.S. agencies that deal with China ahead of Secretary of State Antony Blinken's trip to Beijing last month, officials said Wednesday.

The surgical, targeted espionage accessed the email of a small number of individuals at an unspecified number of U.S. agencies and was discovered in mid-June by the State Department, U.S. officials said. They said none of the breached systems were classified, nor was any of the stolen data.

Related video above: Rossen Reports: How to sign up for dark web monitoring

The hacked officials included Commerce Secretary Gina Raimondo, The Washington Post reported, citing anonymous U.S. officials. Export controls imposed by her agency have stung multiple Chinese companies.

One person familiar with the investigation said U.S. military and intelligence agencies were not among the agencies impacted in the monthlong spying campaign, which also affected unnamed foreign governments.

The officials spoke on condition they not be further identified.

In a technical advisory Wednesday and a call with reporters, the U.S. Cybersecurity and Infrastructure Security Agency and the FBI said Microsoft determined the hackers gained access by impersonating authorized users.

Officials did not specify the nature of the stolen data. But one U.S. official said the intrusion was “directly targeted” at diplomats and others who deal with the China portfolio at the State Department and other agencies. The official added that it was not yet clear if there had been any significant compromise of information.

The Blinken trip went ahead as planned, although with customary information security procedures in place, which required his delegation to use “burner” phones and computers in China.

The hack was disclosed late Tuesday by Microsoft in a blog post. It said it was alerted to the breach, which it blamed on a state-backed, espionage-focused Chinese hacking group “known to target government agencies in Western Europe,” on June 16. Microsoft said the group, which it calls Storm-0558, had gained access to email accounts affecting about 25 organizations, including government agencies, since mid-May as well as to consumer accounts of individuals likely associated with those agencies.

Neither Microsoft nor U.S. officials would identify the agencies or governments impacted. A senior CISA official told reporters in a press call that the number of affected organizations in the United States is in the single digits.

While the official declined to say whether U.S. officials are displeased with Microsoft over the breach, U.S. National Security Council spokesman Adam Hodge noted that it was “government safeguards” that detected the intrusion and added, “We continue to hold the procurement providers of the U.S. Government to a high security threshold.”

In fact, those safeguards consist of a data-logging feature for which Microsoft charges a premium. The CISA official noted that some of the victims lacked the data-logging feature and, unable to detect the breach, learned of it from Microsoft.

But of greater concern to cybersecurity experts is that The Storm-0558 hackers broke in using forged authentication tokens — which are used to verify the identity of a user. Microsoft's executive vice president for security, Charlie Bell, said on the company's website that the hackers had done that by acquiring a “consumer signing key.”

Cybersecurity researcher Jake Williams, a former National Security Agency offensive hacker, said it remains unclear how the hackers accomplished that. Microsoft did not immediately respond to emailed questions, including whether it was breached by the hackers to obtain the signing key.

Williams was concerned the hackers could have forged tokens for wide use to hack any number of non-enterprise Microsoft users. “I can’t imagine China didn’t also use this access to target dissidents on personal subscriptions, too."

The head of intelligence for the cybersecurity firm Crowdstrike, Adam Meyers, said in a statement that the incident highlights the systemic risk of relying on a single technology provider in Microsoft. He said “having one monolithic vendor that is responsible for all of your technology, products, services and security - can end in disaster.”

A Chinese foreign ministry spokesman, Wang Wenbin, called the U.S. accusation of hacking “disinformation” aimed at diverting attention from U.S. cyberespionage against China.

“No matter which agency issued this information, it will never change the fact that the United States is the world’s largest hacker empire conducting the most cyber theft,” Wang said in a routine briefing.

U.S. intelligence agencies also use hacking as a critical espionage tool and it is not a violation of international law.

Last month, Google-owned cybersecurity firm Mandiant said suspected state-backed Chinese hackers broke into the networks of hundreds of public and private sector organizations globally exploiting a vulnerability in a popular email security tool.

Earlier this year, Microsoft said state-backed Chinese hackers were targeting U.S. critical infrastructure and could be laying the technical groundwork to disrupt critical communications between the U.S. and Asia during future crises.

____

Associated Press writers Aamer Madhani in Washington and Zen Soo in Hong Kong contributed to this report. Bajak reported from Boston.

Microsoft recently advised against longstanding, conventional cybersecurity logic on required password changes. It turns out forced switches made users select more predictable and easy-to-breach passwords.

"The pattern that humans use, particularly when they're not using a password manager, is they come up with, sort of, this rubric," said Pedro Canahuati, chief technology officer at 1Password. "If that's really very complex, it makes it difficult for people to gain access to it. But the reality is, humans are not good at randomness."

"The previous advice for people to rotate their passwords so frequently led to some really bad habits: people writing passwords down, only changing maybe the last digit," said Lisa Plaggemier, executive director of the National Cybersecurity Alliance.

"Changing that one character at the end of your password is not enough when you're up against a bot who's just cycling away at different passwords and switching out letters and numbers."

Humans are notoriously bad at passwords. NordPass' research of commonly used passwords across 50 countries in 2021 found the most popular were strings of letters or numbers, like 123456 and qwerty or words like a password. Most could be cracked in less than one second.

Still, if you search online for advice on how often you should change passwords, you'll still find many results saying you should change them routinely.

Newsy spoke to four cybersecurity experts about best rotation practices. While all noted that there are times when passwords should be changed — like when your data is implicated in a breach — other, more important security features can be used to strengthen data protection.

"People just need to understand that passwords only go so far, and you need multifactor authentication," said Ed Skoudis, president of SANS Technology Institute. "Password management organizations also have an obligation to keep their users secure and safe."

"The simple solution at the end of the day is to use strong and unique passwords with a password manager because nobody can create them as strong as they can with the password manager," said Craig Lurey, chief technology officer at Keeper Security. "This is hundreds of engineers, solely focused on protecting passwords in an encrypted vault that's highly secure and protected from access, and all the years of implementation that went into that versus whatever you think you can do with your notepad."

Newsy is the nation’s only free 24/7 national news network. You can find Newsy using your TV’s digital antenna or stream for free. See all the ways you can watch Newsy here.

The publisher of the Wall Street Journal said Friday it believes it was hacked by Chinese intelligence.

The breach was discovered on January 20.

News Corp said data was stolen from journalists and other employees.

It is not known when hackers breached the network or how much data they stole.

The breach affected a limited number of email accounts and documents from News Corp headquarters, News Technology Services, Dow Jones, News UK and New York Post.

News Corp told employees in an email to staff that it believed the “threat activity is contained.”

Other newsrooms, including The New York Times have previously been hacked.

Journalists in Mexico, El Salvador and Qatar have also been hacked with spyware.

News Corp also owns HarperCollins, News Corp Australia and Storyful.

It does not appear employees at those companies were affected by the hack.

U.S. law requires major phone companies to wait seven days before letting users know about a data breach.

It's a rule that FCC Chairwoman Jessica Rosenworcel is hoping to change.

In January, she sent out a proposal that would eliminate "the current seven business day mandatory waiting period for notifying customers of a breach," along with several other changes designed to help people protect their data.

"The idea that I could have my phone hijacked by somebody else, and used in a way that appears to be me, puts a lot of other systems at risk," said Karen Worstell, a senior cybersecurity strategist at VMware, a company which provides multi-cloud services for all apps.

"That's the reason why the FCC is looking at notifying customers early. Customers have to make a choice about what they're going to do about their phone security."

It's an idea echoed by Rosenworcel.

"[T]hese rules need updating to fully reflect the evolving nature of data breaches and the real-time threat they pose to affected to consumers," Rosenworcel said in a written statement about the proposal.

"Customers deserve to be protected against the increase in frequency, sophistication and scale of these data leaks."

Not everyone agrees.

There are currently only four people serving on the five-person Federal Communications Commission, and they are split along party lines: two Democrats and two Republicans.

President Joe Biden's nominee to join the FCC, Gigi Sohn, has been stalled in the Senate for several months.

The Senate Committee on Commerce, Science and Transportation is scheduled to vote on her nomination Wednesday.

If approved, she would still have to pass a vote of the full Senate.

FCC action can't come soon enough to save most Americans from having their personal information exposed.

By one estimate, every person in the U.S. had their data stolen four times during 2019.

Breaches have become more common since then.

"We do seem to still have an under-reporting of breaches," Worstell said.

"I'm not exactly sure why. But the understanding is that there are breaches occurring that are not currently being reported. There's a few ways that companies can avoid doing a reporting of a breach. And so many of them may be taking advantage "

Worstell said it's important for all of us to keep an eye out for unfamiliar transactions on our bank or credit card accounts.

She recommended setting up alerts with your bank.

But the most important thing consumers can do, according to Worstell, is activating two-factor authentication on any apps containing personal data.

"Two-factor authentication just means that you have your name, your user id, your password, and another code, usually something that was sent to your phone," Worstell said.

"I would implement that everywhere. Everywhere. Passwords are absolutely worthless at this point in time. If you want to put in 17-character, complex passwords on all of your accounts, go ahead and do that. They're still breakable."

Cameras captured the riots at one of America's most cherished buildings.

Windows were smashed, documents spewed across offices and crowds, charging right past Capitol police.

The chaos prompted questions: What went wrong?

"They weren't prepared to deal with this mindset which is obvious, you can see the videos of it when the police were fighting with them trying to maintain the line at the building," Former Kenton County Homeland Security and Emergency Management Director William Dorsey said.

Dorsey worked in law enforcement for decades.

He thinks a lack of planning contributed to the mass break-in, but wonders why the building itself wasn't better protected.

"Is there no physical barriers? Steel doors? It just amazes me," Dorsey said.

Political leaders called for a thorough review of the security failures.

Derek Bauman said last year's protests for racial justice brought a very different security response.

"Where was the rubber bullets? Where was the mass tear gassing? Where were the helicopters? Why was it there for that and not these folks and this is the most important location, the house of congress," Bauman said.

Bauman spent 26 years in law enforcement, planning and training for many types of crowd control.

Never before has he heard of something like this.

"What's going on with all the computers and stuff? Have they swepped the office for bugs? Do we know if there were bugs planted under...you don't need to be James Bond to walk in and stick something under a desk somewhere, we don't know because there's no answers and nobody's taken questions," Bauman said.

Bauman said the American people deserve answers about what happened and the actions being taken to investigate what went wrong.