Tens of millions of Microsoft customers are using log-ins that have previously been breached, putting themselves and their organization at risk of account takeover, the computing giant has revealed.
In a study running from January to March 2019, Microsoft’s threat research team checked over three billion credentials known to have been stolen by hackers, using third-party sources such as law enforcement and public databases.
It found a match for over 44 million Microsoft Services Accounts, used primarily by consumers, and AzureAD accounts, which is more worrying for businesses.
“For the leaked credentials for which we found a match, we force a password reset. No additional action is required on the consumer side. On the enterprise side, Microsoft will elevate the user risk and alert the administrator so that a credential reset can be enforced,” it explained.
“Given the frequency of passwords being reused by multiple individuals, it is critical to back your password with some form of strong credential. Multi-Factor Authentication (MFA) is an important security mechanism that can dramatically improve your security posture.”
Microsoft claimed that 99.9% of identity attacks can be mitigated by turning on MFA.
The advice is especially important in the context of ongoing credential stuffing attacks. A report from Akamai earlier this year claimed that such attacks are costing the average EMEA firm on average $4 million annually in app downtime, lost customers and extra IT support.
Attacks have already struck far and wide this year, affecting organizations such as TfL, OkCupid, TurboTax and many more.
A 2018 study of around 30 million users found that password reuse was common among over half (52%), while nearly a third (30%) of modified passwords were easy to crack within just 10 guesses.
A Google poll of 3000 computer users released earlier this year found that just a third (35%) use a different password for all accounts, and only a quarter (24%) use a password manager.