After sieving through over three billion leaked credentials available online, Microsoft threat research team found out that 44 million Azure AD and Microsoft Services Accounts were compromised. A detailed analysis revealed an unsurprising issue: reused passwords.
The credentials analysed from various data breaches came from multiple sources, including law enforcement and public databases. These were checked against credentials found in Microsoft systems to look for those that had been compromised.
"For the leaked credentials for which we found a match, we force a password reset. No additional action is required on the consumer side. On the enterprise side, Microsoft will elevate the user risk and alert the administrator so that a credential reset can be enforced," read the Microsoft Security Intelligence report.
Password reuse and single-factor authentication rank high among current cyber-security issues, noted Gavin Millard, VP-intelligence at Tenable.
"No matter how easy password managers make storing and using complex passwords for online services, or the option to add a second authentication mechanism such as an SMS code sent to a mobile device, adoption is still woefully low."
The Microsoft report highlights the severity of the situation, commented Stuart Sharp, solution engineering VP at OneLogin.
"Whether knowingly or unknowingly, people are using compromised credentials to access sensitive personal and corporate data, putting organisations and individuals at risk of disastrous attacks from bad actors."
Organisations are equally guilty of lax password management, as previous reports show. A lawsuit on the 2017 Equifax data breach says that the company executives used the default - 'admin' - as the username and password to secure their enormous customer information portal.
An analysis of 21 million leaked credentials linked to Fortune 500 companies found that approximately 42 percent of the stolen passwords were somehow related either to the victim’s company name or to the breached resource in question. On an average, 11 percent of the stolen passwords from one breach are identical. The most common password? Password!
"Why do people reuse passwords? Because they have way too many to remember. Work passwords, utilities, banking, laptop account logins etc etc. How can an average person remember so many? Furthermore, a regular user does not use a password vault or storage solution, regardless of the recommendations," explained Eoin Keary, CEO and cofounder of edgescan.
Password reuse across many services means that if one service is breached, the disclosed password is often used in credential stuffing attacks that try to access other services and websites, as the Fortune 500 situation shows.
"Multi-Factor Authentication (MFA) is an important security mechanism that can dramatically improve your security posture. Our numbers show that 99.9 percent of identity attacks have been thwarted by turning on MFA," read the Microsoft report.
"Multi-Factor Authentication is no longer just security best practice, but a core necessity to corporate and personal applications alike," agreed OneLogin’s Sharp.
"Wherever possible, stronger forms of Multi-Factor Authentication should be used, such as WebAuthn with on-device biometrics."
However, companies must be careful to limit the use of text-based methods while setting up two-factor authentication, said Robert Ramsden Board, VP EMEA at Securonix.
"Two-factor authentication can help tackle the risk posed by password reuse. However, organisations and users should explore alternatives to the traditional text password, such as persona-based authentication, which relies on a combination of ‘geographical’ and behavioural elements to determine identity or a trust score system that allows users to sign in and unlock devices through a trust score that is calculated using several behavioural factors such as location, facial recognition and typing pattern," he suggested.
"As individuals, we need to change our mindset when securing any online account, employing the same level of protection we adopt for securing our financial accounts," said Tenable’s Millard.
"This means moving away from not just the reuse of passwords, but also making them stronger, particularly for accounts where we’re sharing sensitive details or personal information, and always use a second factor if available."