Compromised credentials used on 44 million Microsoft accounts between January and March 2019

  • The search was carried through a brute force attack using 3 billion leaked credentials.
  • NIST advises companies to verify whether any new passwords they aim to use are compromised or not.

In a shocking revelation, Microsoft has disclosed that over 44 million users of its Azure and Microsoft services accounts (MSA) are using compromised credentials to log into their accounts. The discovery was made in the first quarter of 2019 when the company’s research team was checking for compromised credentials in different breaches against Microsoft systems.

A detailed picture

Microsoft used a variety of sources for comparison, including law enforcement and public databases. During its search, it investigated 3 billion leaked credentials, out of which only about 1.5% were exposed. The search was carried out using a brute force attack.

“For the leaked credentials for which we found a match, we force a password reset. No additional action is required on the consumer side. On the enterprise side, Microsoft will elevate the user risk and alert the administrator so that a credential reset can be enforced,” said Microsoft in a statement.

Password reuse issues

While the infosec industry would like everyone to use password managers to plan and save long, unique passwords for each online account, many users still avoid using them and opt for password reuse.

Recommended actions

NIST advises companies to verify the passwords are not compromised before they are activated. Upon activation, it is also necessary to check passwords’ status on an ongoing basis to prevent attacks due to identity theft.

Meanwhile, Microsoft claims that, given the frequency of password reuse, the implementation of an MFA solution can thwart more than 99.9% of all identity attacks.