The Microsoft threat research team scanned all Microsoft user accounts and found that 44 million users were employing usernames and passwords that leaked online following security breaches at other online services.
The scan took place between January and March 2019.
Microsoft said it scanned user accounts using a database of over three billion leaked credentials, which it obtained from multiple sources, such as law enforcement and public databases.
The scan effectively helped Microsoft identify users who reused the same usernames and passwords across different online accounts.
Password resets have already taken place
The 44 million total included Microsoft Services Accounts (regular user accounts), but also Azure AD accounts.
“For the leaked credentials for which we found a match, we force a password reset. No additional action is required on the consumer side,” Microsoft said.
“On the enterprise side, Microsoft will elevate the user risk and alert the administrator so that a credential reset can be enforced,” it added.
The OS maker has been a staunch advocate and promoter of multi-factor authentication (MFA) solutions.
Earlier this summer, the company said that enabling an MFA security measure for a Microsoft account blocks 99.9% of all attacks and that MFA bypass attempts are so rare its security team doesn’t even have statistics on this type of threat.
Detecting 100% of password reuse cases is impossible
Microsoft typically warns against using weak or easy-to-guess passwords when setting up an account, but these warnings don’t cover password reuse scenarios.
This is because users might be using a complex password that would pass Microsoft’s checks, but Microsoft has no way of knowing if the user has reused that password in other places.
Once a third-party service has a security breach, and the user’s password is stolen and leaked online, this inadvertently puts the user’s Microsoft account at risk, despite having a strong password.
Hackers can take the leaked password and use it in an attempt to gain access to the user’s other accounts — such as Microsoft, Google, Facebook, Twitter, etc.. Microsoft calls this a “breach replay attack.”
A 2018 academic research study of 28.8 million user accounts found that password reuse and small modifications to the original password was common among 52% of users. The same study also found that 30% of the modified passwords and all the reused passwords can be cracked within just 10 guesses.