The company recently ran a check of over three billion user credentials from a database populated from numerous sources, including law enforcement and public databases.
Using the data set, Microsoft was able to identify the number of users who were reusing credentials across multiple online services. It has since sent them notifications to change their log-in settings.
So called “credential stuffing”, where fraudsters use already breached usernames and passwords to gain access to other accounts, is increasingly being blamed for data breaches, however, firms can still be liable.
In 2018, the Information Commissioner’s Office issued a £385,000 penalty to the ride-sharing company Uber after finding that compromised username and password pairs were used to gain access to Uber’s data storage. The regulator ruled “avoidable data security flaws” had allowed the personal details of around 2.7 million UK customers to be accessed.
Out of 30 million users which Microsoft examined, 52% used modified versions of their credentials. The researchers found that even when modified, 30% of the credentials could be guessed within 10 attempts.
Securonix VP EMEA Robert Ramsden-Board said: “In today’s cybersecurity landscape, it couldn’t be truer to say that passwords are the weakest link, We need to create several versions of them, make them hard to guess and commit them to memory. Therefore, it comes as no surprise that password reuse is so rampant.
“Two-factor authentication can help tackle the risk posed by password reuse. However, organisations and users should explore alternatives to the traditional text password, such as persona-based authentication.”
Microsoft has responded by raising the character limit for Azure AD accounts from 16 characters to 256, which it insists has vastly improved the security of passwords and the time it would theoretically take to brute force an account.
TSB back in firing line again over online data security
Teletext sweats as two-year data breach is uncovered
Twitter admits GDPR breach after exploiting user data
Monzo squirms again after gaffe exposes pin numbers
Top London estate agent flayed for 2-year data breach
Leicester City FC on hiding to nothing over data breach