UPDATED 19:31 EST / DECEMBER 08 2019

microsoft SECURITY

Microsoft study finds 44M users using breached passwords

A new study from Microsoft Security has found that 44 million Microsoft and Azure cloud account holders were using passwords that were stolen in data breaches.

The study, published late last week, analyzed more than 3 billion credentials known to have been stolen by hackers using third-party sources, then compared that data to credentials used on Microsoft Corp. services between January and March 2019. The 44 million matches covered Microsoft Services accounts and AzureAD accounts, the latter particularly concerning for business and enterprise customers.

“Once a threat actor gets hold of spilled credentials or credentials in the wild they can try to execute a breach replay attack,” the report said. “In this attack, the actor tries out the same credentials on different service accounts to see if there is a match.”

Having identified reused credentials, Microsoft has forced a password reset for the accounts where a match was found, but the matches highlight the dangers of reusing passwords across multiple accounts.

“We’ve known for a while now that password reuse is a widespread problem, but its threat has become even more heightened by the spikes in credential-related breaches,” Martin Gallo, director of strategic research and enterprise identity and access management firm SecureAuth Corp., told SiliconANGLE. “Identity and credential sprawl is a massive challenge at both the consumer and enterprise level.”

The Microsoft report concluded that along with the use of strong credentials multifactor authentication can also dramatically improve security. But Gallo noted that although MFA is one of the most cost-effective ways to combat password reuse, user adoption has been slow.

“Productivity is key to any successful company and there’s a perception that MFA interrupts the end-user experience, slowing down business results,” Gallo said. “Hopefully this report from Microsoft’s threat research team will be the wake-up call that organizations need to take passwords out of the equation.”

Javvad Malik, security awareness advocate at training company KnowBe4 Inc., added that given the sheer number of different services and apps that people use and require signing up for, it’s no surprise they reuse credentials.

“It’s why it is so important to educate and raise awareness among users as to the dangers of reusing credentials and how it can lead to account takeovers,” Malik said. “Once people understand the risks, they can then make informed decisions to better protect themselves though means such as enabling MFA where available and using a password manager to choose stronger and unique passwords for each site they register for.”

Photo: Microsoft Sweden/Flickr

Since you’re here …

Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!

Support our mission:    >>>>>>  SUBSCRIBE NOW >>>>>>  to our YouTube channel.

… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.