Researchers at Microsoft have discovered that 44 million user accounts are still relying on passwords that have previously been leaked. The research team analyzed billions of leaked user credentials in order to draw this conclusion.
Login details had been leaked due to a variety of security breaches, with both law enforcement and publicly accessible databases particularly cited by Microsoft. Indeed, it is known that data breaches have compromised 4.1 billion records during the first six months of this year alone. The problem affects commonly used Microsoft systems, such as Hotmail.
With trading of leaked data becoming commonplace on the dark web, the incentive to compile this sort of data is obviously growing. In an attempt to better understand this issue, and help minimize its impact on everyday Internet users, security researchers analyze breach data, and are consequently able to identify the most commonly reused and insecure passwords.
As a result of this process, Microsoft was able to identify 44 million user accounts that were reusing passwords identified in breached credentials databases. While this is a relatively small percentage of the overall 3 billion, it still means that many Microsoft users are potentially compromising their security, and could fall victim to cybercrime.
Regular password changes
In response to this issue, users are advised to change their passwords on a regular basis, while also implementing other security measures in order to protect their accounts. While many Microsoft account holders who have recently changed their passwords may be protected from any breach of their credentials, this is far from guaranteed, considering the breadth of password databases that now exist.
Indeed, the Microsoft Security Intelligence Report is quite plain on the dangers of attackers getting hold of users credentials. “Once a threat actor gets hold of spilled credentials or credentials in the wild, they can try to execute a breach replay attack. In this attack, the actor tries out the same credentials on different service accounts to see if there is a match.”
However, one good piece of news for those potentially under attack is that Microsoft has already taken direct action in order to address the situation. A password reset has been forced on all affected accounts, and this should protect those who have suffered breaches from any ill effects.
But business users do face potential issues. Microsoft has attempted to respond to the issue, by stating that it will “elevate the user risk and alert the administrator” for any business accounts, but the administrator of business accounts will still be required to act in order for them to be secured. It is not clear how many enterprise accounts are affected by the breach, but clearly it would be expected for the figure to hundreds of thousands at the very least, and probably more.
While Microsoft has been praised for its response to the issue, the problems with user credentials underline the scale and scope of cybercrime, and how important it is for every Internet user to take as many security precautions as possible.