searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Zeljka Zorz
Zeljka Zorz, Editor-in-Chief, Help Net Security
December 9, 2019
Share

Compromised passwords used on 44 million Microsoft accounts

44 million Microsoft Azure AD and Microsoft Services accounts were vulnerable to account hijacking due to use of compromised passwords, Microsoft has shared.

Compromised passwords Microsoft accounts

The discovery was made in the first quarter of 2019, when the company’s identity threat research team checked billions of credentials compromised in different breaches against Microsoft consumer and enterprise account credentials.

Password reuse and efforts to prevent it

Data breaches have become a fact of life for both businesses and individuals, making password reuse across online accounts a big problem. Year after year, surveys show that convenience trumps security for too many users – even infosec professionals.

Some organizations set up stringent password rules to prevent users from choosing short, predictable and easy-to-guess passwords. To help with that Microsoft has, for example, provided Azure AD Password Protection to enterprise users.

Google has also offered Chrome users an extension that detects username/password combinations that have been compromised due to breaches and recently built the technology into Google Account’s Password Manager (and soon the Chrome browser).

Compromised passwords and Microsoft accounts

While the infosec industry would like everyone to use password managers to come up and save long, unique passwords for each online account, many users still avoid using them and opt for password reuse.

And while the use of multi-factor authentication (MFA) is rising, the growth is slow despite its proven efficacy at preventing most account hijacking attacks.

NIST advises companies to verify that passwords are not compromised before they are activated and check their status on an ongoing basis, against a dynamic database comprised of known compromised credentials.

The latter is what Microsoft did and how it made this latest discovery.

“For the leaked credentials for which we found a match, we force a password reset. No additional action is required on the consumer side. On the enterprise side, Microsoft will elevate the user risk and alert the administrator so that a credential reset can be enforced,” the company noted and, once again, advised users to use MFA wherever possible.

“Microsoft also offers solutions to protect customers from breach replay attacks. This includes capabilities to flag users as high risk and inform the administrator to enforce a password reset,” they added.

More about
  • account hijacking
  • Microsoft
  • Microsoft Azure
  • passwords
Share this

Featured news

  • Overcoming obstacles to introduce zero-trust security in established systems
  • Leveraging network automation to enhance network security
  • Ransomware gangs are exploiting IBM Aspera Faspex RCE flaw (CVE-2022-47986)
Guide: Aligning your security program with the NIST CSF

Sponsored

Webinar: Tips from MSSPs to MSSPs – starting a vCISO practice

Security in the cloud with more automation

CISOs struggle with stress and limited resources

How to scale cybersecurity for your business

Don't miss

Overcoming obstacles to introduce zero-trust security in established systems

Leveraging network automation to enhance network security

Ransomware gangs are exploiting IBM Aspera Faspex RCE flaw (CVE-2022-47986)

3CX customers targeted via trojanized desktop app

The rise of biometrics and decentralized identity is a game-changer for identity verification

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us