Ride the Lightning

Microsoft Security Reveals Password Issues Affecting 44 Million Users

December 9, 2019

On December 6, Forbes carried a post indicating that, after analyzing a database containing 3 billion leaked credentials from security breaches, the Microsoft threat research team determined more than 44 million user accounts had a serious security problem.

The Microsoft threat research team analyzed billions of login credentials that had been leaked following security breaches. These came from multiple sources, including law enforcement and publicly accessible databases, according to Microsoft.

Data breaches are known to have exposed 4.1 billion records in the first six months of 2019 alone, there's obviously plenty of this kind of credential data floating around, often traded across dark web markets. Security researchers analyze this breach data to get an idea of the most commonly reused and therefore insecure passwords. The Microsoft identity threat research team was also looking for these compromised credentials to cross-check against the Microsoft user eco-system.

Across just the first three months of 2019, Microsoft found some 44 million accounts that were reusing passwords found within those breached credentials databases.

If one of your passwords turns up in a breached database and you use it to access your email account, for example, you may have to pay the price of having your account hijacked.

The Microsoft Security Intelligence Report looked at identity-based threats and warned about this risk from what it calls breach replay attacks. "Once a threat actor gets hold of spilled credentials or credentials in the wild," the report states, "they can try to execute a breach replay attack. In this attack, the actor tries out the same credentials on different service accounts to see if there is a match." This type of attack is becoming more and more common because attackers know darn well that most folks reuse their passwords.

As far as the leaked credentials that the threat research team found during this analysis are concerned, Microsoft has said that consumers need to take "no additional action," as it has already forced a password reset. As the post says, this will come as a great relief to those worried about their Office, OneDrive, or Xbox services. The situation is less straightforward for business users. Microsoft stated that it would "elevate the user risk and alert the administrator," for enterprise accounts, with the administrator then having to ensure a credential reset is enforced. The reused credentials statistics were not broken down into consumer and enterprise accounts, so it's not clear as to how many businesses could be impacted.

If you receive an email requiring a password reset (one of our clients did), remember that you never click on links in an email. Go directly to your Microsoft account. I did – and I checked my recent activity. Apparently, last month someone from Bangladesh tried to access my account – unsuccessfully as they did not have user credentials. But then, I don't reuse the password and I do have 2FA enabled.

Make sure all of you are doing the same thing!

The Microsoft report goes on to say that it's "critical to back your password with some form of strong credential," and suggests that Multi-Factor Authentication (MFA) is a recommended mechanism to achieve this. "Our numbers show that 99.9% of identity attacks have been thwarted by turning on MFA," the report stated. Unfortunately, as Kolochenko said, while "Two (2FA) and Multi-Factor Authentication (MFA) can considerably reduce those risks, most users regard these as irritating inconveniences and would rather deactivate them whenever possible." Resist that impulse. You can enable 2FA and have it "remember your device" which considerably lessens the inconvenience.

Gavin Millard, vice-president of intelligence at Tenable, said that "as individuals, we need to change our mindset when securing any online account, employing the same level of protection we adopt for securing our financial accounts." What this means is that people must move away from not just the reuse of passwords, but should also make them stronger, "particularly for accounts where we're sharing sensitive details or personal information," Millard concludes.

And of course, password managers make it much easier not to reuse passwords. Get a grip on yourself and get a password manager if you have not yet done so.

Most have password auditing functionality for good measure. Google has a password checkup function that works with the Google account password manager and checks for reuse against a database of 4 billion leaked credentials, and Firefox has also added a compromised password warning feature.

To be safe in the ether, you have to be proactive.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson