Microsoft’s identity threat research team found more than
44 million compromised Microsoft user accounts in use in three months of
scanning, between January and March 2019.
The team checked billions of credentials people use for
their services in an effort to identify the accounts that were still using
compromised user names and passwords. The researchers found over 44 million
Azure AD and Microsoft Services Accounts using already compromised credentials.
Microsoft used a variety of sources for the comparison,
including law enforcement and public databases. In total, the researchers checked
3 billion credentials, which means that only about 1.5% of all accounts would
have been exposed.
“For the leaked credentials for which we found a match,
we force a password reset. No additional action is required on the consumer
side. On the enterprise side, Microsoft will elevate the user risk and alert
the administrator so that a credential reset can be enforced,” says Microsoft.
There are multiple reasons for the findings. Just because
Microsoft forces a password reset, doesn’t mean that it won’t happen again.
User names and passwords are regularly compromised in new leaks, and people often
have no idea that they should change their login information.
A 2018 study showed that 52% of people use the same set
of credentials on multiple websites. Even when they use different credentials,
they don’t choose strong passwords, not to mention that they never use some
form of multi-factor authentication (MFA).
In fact, Microsoft claims that an MFA solution thwarts more
than 99.9% of all identity attacks.