U.S. House lawmaker Rep. Don Bacon said the FBI warned him that China-backed hackers who used a stolen Microsoft key to raid the email accounts of senior U.S. government officials also accessed his email accounts.
In a tweet, the Republican congressman from Nebraska said the FBI notified him on Monday that the Chinese government “hacked into my personal and campaign emails from May 15th to June 16th of this year,” citing a previously disclosed vulnerability in Microsoft’s cloud.
The disclosure comes two months after the hack occurred, suggesting that the FBI is still notifying those affected.
It’s not clear why there was a delay in notifying Bacon about the breach. When reached, Microsoft declined to comment beyond its blog posts. An unnamed FBI spokesperson declined to comment.
Bacon said in his tweet that there were “other victims” targeted by this cyber incident, without naming those affected. According to The Washington Post, which first reported Bacon’s email breach, an unnamed congressional staffer was also targeted by the hacks.
Earlier news reports confirmed that the hackers are also known to have accessed the inboxes of U.S. Commerce Secretary Gina Raimondo and U.S. Ambassador to China Nicholas Burns.
Microsoft said in its initial report in July disclosing the breach that emails from approximately 25 organizations, including government agencies and related consumer email accounts, were compromised. Microsoft attributed the breach to a China-backed hacking group known only as Storm-0558. But, the technology giant said that it was a matter of “ongoing investigation” how the hackers obtained a key, which when coupled with a now-fixed Microsoft cloud vulnerability was abused to forge authentication tokens, allowing the hackers to access the email inboxes as if they were the rightful owners.
Bacon, who serves on the House Armed Services Committee and is a member of the House Taiwan Caucus, told the Post that the hacks were likely to “embarrass me or to undercut me politically” for his position on supporting Taiwan’s defenses. In another tweet, Bacon said he will “work overtime” to ensure Taiwan receives the billions of dollars in U.S. weapons it ordered to defend against a potential future invasion by China.
Several other members of Congress have called on the Justice Department and the Federal Trade Commission to investigate the Microsoft cloud breach.
The U.S. Cyber Security Review Board, set up in 2021 and tasked with investigating and identifying recommendations in the wake of major security incidents, said this week that its third-ever investigation will focus on a broader review of cloud-based identity and authentication infrastructure, stemming from Microsoft’s cloud breach. The board previously investigated the impact from the Log4j vulnerability and the recent cyberattacks targeting big tech companies by the Lapsus$ hacking group.
Updated with declines to comment from Microsoft and FBI.