Microsoft users are using log in details that have previously been breached, putting not only themselves but their organisation in danger of an account takeover.
According to a study that ran from January to March 2019, Microsoft’s threat research team scoured through 3 billion credentials known to have been stolen by hackers via third-party sources such as law enforcement and public databases.
It found a match for more than 44 million Microsoft Services Accounts, primarily used by consumers, and AzureAD accounts. The latter poses concerns for businesses.
“For the leaked credentials for which we found a match, we force a password reset. No additional action is required on the consumer side. On the enterprise side, Microsoft will elevate the user risk and alert the administrator so that a credential reset can be enforced,” it explained.
“Given the frequency of passwords being reused by multiple individuals, it is critical to back your password with some form of strong credential. Multi-Factor Authentication (MFA) is an important security mechanism that can dramatically improve your security posture.”
Claims by Microsoft state that 99.9 per cent of identity attacks can be mitigated by switching on MFA. This advice is particularly important given the ongoing credential stuffing attacks. A report from Akamai claimed that these attacks cost the average EMEA firm approximately $4 million per year in app-downtime, lost customers and additional IT support.
Attacks have already made a huge impact this year, affecting organisations such as OkCupid, Tfl and more.
Back in 2018, a study of approximately 30 million users found that password reuse was common among 52 per cent, while 30 per cent of modified passwords could be cracked within 10 guesses.
Join us for ESRM 2020
Whitehall Media’s prestigious biannual 12th ESRM conference is set to discuss how enterprises are increasing awareness from the board down, adopting effective incidence response planning, adding threat analytics to their security response and investigating security events with robust incident forensics.