Millions of Microsoft users have been using log-on credentials that could be known by cybercriminals. A big part of the problem has been the re-use of passwords which has made it much easier for hackers to unlock users’ accounts.
The software giant analysed a database of more than three billion leaked credentials pooled from multiple sources, including public and law enforcement data. It found that 44 million active accounts were at risk. This threat was identified between January and March 2019.
Where Microsoft found leaked credentials among its consumer customers, it forced a password reset. No additional action was required. For enterprise customers, Microsoft alerted the administrator at each organisation so that a credential reset could be enforced.
Globally, data breaches are known to have exposed a total of around 4.1 billion records in the first six months of 2019 alone, so Microsoft’s analysis only reinforces the point that there’s plenty of credential data floating about that could, possibly, be traded by cybercriminals.
And while weak and obvious passwords – such as 12345678 – are still a big part of the problem, even complex passwords aren’t totally safe. They might pass Microsoft’s checks, but there’s no way of knowing if the user has re-used the password in other places.
Hackers can take a leaked password and use it in an attempt to gain access to other accounts used by an individual. It could be any access point in the user’s online activities. A password used for social media activities or gaming might very well be the same as that used for a highly sensitive database within your company.
There’s now a growing range of services being made available to help protect organisations from combatting the problem.
For instance, Microsoft now provides Azure AD Password Protection to enterprise users, and Google has also offered Chrome users an extension that detects username/password combinations that have been compromised due to breaches.
The IT industry as a whole is urging everyone to use multi-factor authentication .
Gary Jowett, from Computer & Network Consultants in Brighton, said: “Using a username and single password is generally being phased out as it’s inherently unsafe. Multi-factor authentication is currently the safest way to minimise security breaches. It’s now made much more convenient with most people possessing a mobile device for receiving verification codes to match up with other credentials. But this shouldn’t be a cause for complacency. Your employees still need to keep on updating their log-on credentials and making sure they don’t share this information with other people. And your company’s security still needs to be regularly reviewed and updated because cybercriminals will, inevitably, find new ways to break into your network.”