Microsoft conducts a security threat assessment of its services and users between January and March this year, with shocking results. According to the Internal Threat Research Group, millions of users are reusing their passwords on Microsoft services.
As part of the threat assessment, Comapny checks 3 billion credentials. Of which 44 million company services were match with Azure AD accounts. Indicating that the aforementioned accounts are reusing credentials. Microsoft also noted that many of the 3 billion credentials were leak online. This led the company force password resets to ensure that accounts were not abuse.
Microsoft also states that 30% of reuse or modified passwords can be crack in just 10 guesses. This triggered a violation replay attack, in which the attacker gained access to a set of credentials. They also used similar credentials to break into other accounts.
Company urges users to improve their password security and use MFA because 99% of attacks can be prevented by using “multi-factor authentication”. In addition, Microsoft always recommends using unique passwords where possible, and even using unique usernames, to make it difficult for attackers to guess and gain access.