44 million Microsoft Azure AD and Microsoft Services accounts were vulnerable to account hijacking due to use of compromised passwords, Microsoft has shared.
The discovery was made in the first quarter of 2019, when the company’s identity threat research team checked billions of credentials compromised in different breaches against Microsoft consumer and enterprise account credentials.
Password reuse and efforts to prevent it
Data breaches have become a fact of life for both businesses and individuals, making password reuse across online accounts a big problem. Year after year, surveys show that convenience trumps security for too many users – even infosec professionals.
Some organizations set up stringent password rules to prevent users from choosing short, predictable and easy-to-guess passwords. To help with that Microsoft has, for example, provided Azure AD Password Protection to enterprise users.
Google has also offered Chrome users an extension that detects username/password combinations that have been compromised due to breaches and recently built the technology into Google Account’s Password Manager (and soon the Chrome browser).
Compromised passwords and Microsoft accounts
While the infosec industry would like everyone to use password managers to come up and save long, unique passwords for each online account, many users still avoid using them and opt for password reuse.
NIST advises companies to verify that passwords are not compromised before they are activated and check their status on an ongoing basis, against a dynamic database comprised of known compromised credentials.
The latter is what Microsoft did and how it made this latest discovery.
“For the leaked credentials for which we found a match, we force a password reset. No additional action is required on the consumer side. On the enterprise side, Microsoft will elevate the user risk and alert the administrator so that a credential reset can be enforced,” the company noted and, once again, advised users to use MFA wherever possible.
“Microsoft also offers solutions to protect customers from breach replay attacks. This includes capabilities to flag users as high risk and inform the administrator to enforce a password reset,” they added.