A new study from Microsoft Security has found that 44 million Microsoft and Azure cloud account holders were using passwords that were stolen in data breaches.

The study, published late last week, analyzed more than 3 billion credentials known to have been stolen by hackers using third-party sources, then compared that data to credentials used on Microsoft Corp. services between January and March 2019. The 44 million matches covered Microsoft Services accounts and AzureAD accounts, the latter particularly concerning for business and enterprise customers.

“Once a threat actor gets hold of spilled credentials or credentials in the wild they can try to execute a breach replay attack,” the report said. “In this attack, the actor tries out the same credentials on different service accounts to see if there is a match.”

Having identified reused credentials, Microsoft has forced a password reset for the accounts where a match was found, but the matches highlight the dangers of reusing passwords across multiple accounts.

“We’ve known for a while now that password reuse is a widespread problem, but its threat has become even more heightened by the spikes in credential-related breaches,” Martin Gallo, director of strategic research and enterprise identity and access management firm SecureAuth Corp., told SiliconANGLE. “Identity and credential sprawl is a massive challenge at both the consumer and enterprise level.”

The Microsoft report concluded that along with the use of strong credentials multifactor authentication can also dramatically improve security. But Gallo noted that although MFA is one of the most cost-effective ways to combat password reuse, user adoption has been slow.

“Productivity is key to any successful company and there’s a perception that MFA interrupts the end-user experience, slowing down business results,” Gallo said. “Hopefully this report from Microsoft’s threat research team will be the wake-up call that organizations need to take passwords out of the equation.”

Javvad Malik, security awareness advocate at training company KnowBe4 Inc., added that given the sheer number of different services and apps that people use and require signing up for, it’s no surprise they reuse credentials.

“It’s why it is so important to educate and raise awareness among users as to the dangers of reusing credentials and how it can lead to account takeovers,” Malik said. “Once people understand the risks, they can then make informed decisions to better protect themselves though means such as enabling MFA where available and using a password manager to choose stronger and unique passwords for each site they register for.”

Photo: Microsoft Sweden/Flickr