Microsoft’s identity threat research team found more than 44 million compromised Microsoft user accounts in use in three months of scanning, between January and March 2019.
The team checked billions of credentials people use for their services in an effort to identify the accounts that were still using compromised user names and passwords. The researchers found over 44 million Azure AD and Microsoft Services Accounts using already compromised credentials.
Microsoft used a variety of sources for the comparison, including law enforcement and public databases. In total, the researchers checked 3 billion credentials, which means that only about 1.5% of all accounts would have been exposed.
“For the leaked credentials for which we found a match, we force a password reset. No additional action is required on the consumer side. On the enterprise side, Microsoft will elevate the user risk and alert the administrator so that a credential reset can be enforced,” says Microsoft.
There are multiple reasons for the findings. Just because Microsoft forces a password reset, doesn’t mean that it won’t happen again. User names and passwords are regularly compromised in new leaks, and people often have no idea that they should change their login information.
A 2018 study showed that 52% of people use the same set of credentials on multiple websites. Even when they use different credentials, they don’t choose strong passwords, not to mention that they never use some form of multi-factor authentication (MFA).
In fact, Microsoft claims that an MFA solution thwarts more than 99.9% of all identity attacks.