Tens of millions of Microsoft users are employing the same usernames and passwords that have been previously leaked online from security breaches.
Microsoft’s threat research team checked over 3 billion credentials obtained from security breaches in 2019, to which the team found a match for over 44 million Azure AD and Microsoft Services Accounts.
“For the leaked credentials for which we found a match, we force a password reset. No additional action is required on the consumer side. On the enterprise side, Microsoft will elevate the user risk and alert the administrator so that a credential reset can be enforced,” said Microsoft.
In the Microsoft Security Intelligence Report, it is explained that once a threat actor gets hold of “spilled credentials”, the actor can try using the same credentials on other accounts to see if there is a match.
A 2018 study revealed that of nearly 30 million users and their passwords, 52% of users reused their passwords or modified them. The same study also found that 30% of all the reused and modified passwords can be cracked within 10 guesses.
Microsoft added that it is important to back passwords with some from of strong credential, given the high frequency of passwords being reused.
One security mechanism that can improve a user’s security posture is Multi-Factor Authentication (MFA). Microsoft claimed that by turning on MFA, 99.9% of identity attacks can be mitigated.
“As with the recent HackerOne incident, humans remain the weakest link in every organization,” Ilia Kolochenko, CEO of ImmuniWeb, said, “Microsoft’s campaign to augment account security serves as a great example to other vendors.
The post #Privacy: Around 44m Microsoft users have reused passwords appeared first on PrivSec Report.