A recent database analysis of 3 billion leaked credentials from security breaches by Microsoft, has revealed more than 44 million user accounts. The breached passwords came from multiple sources, including law enforcement and publicly accessible databases, according to Microsoft. The report raises concerns about other data breaches available with the dark web markets. The analysis of the credentials is likely to reveal the most commonly reused and therefore insecure passwords. During the analysis, the Microsoft identity threat research team was also looking for these compromised credentials to cross-check against the Microsoft user eco-system.
The aforementioned accounts were reportedly found in the first three months of 2019 as they were reusing passwords found within those breached credentials databases. Threat actors use a variety of techniques to reveal login credentials. If a password turns up in a breached database and is used to access an email account, one's entire security is at stake. The Microsoft Security Intelligence Report looked at identity-based threats and warned about replay attacks. In this attack, the actor tries out the same credentials on different service accounts to see if there is a match. Eoin Keary, CEO at edgescan told the media that this type of attack is becoming common.
Microsoft has confirmed that consumers need to take no additional action, as it has already forced a password reset. Yet the situation is less straightforward for business users as it would elevate the user risk and alert the administrator, for enterprise accounts, with the administrator then having to ensure a credential reset is enforced. It's critical to back a password with some form of strong credential and Multi-Factor Authentication (MFA) is a recommended mechanism to achieve this, Microsoft suggested. The analysis shows that 99.9 per cent of identity attacks have been thwarted by turning on MFA. Yet most users regard these as irritating inconveniences and would rather deactivate them whenever possible, said Ilia Kolochenko, CEO of ImmuniWeb.
People need to change their mindset when securing an online account, employing the same level of protection they adopt for securing our financial accounts, said Gavin Millard, vice-president of intelligence at Tenable. They should not just move away from the reuse of passwords, but should also make them stronger, particularly for accounts where we’re sharing sensitive details or personal information, he concludes. Password managers are the baseline security measures one can follow. They make it easy to use a secure, random and complex password for every account and site you use, and password auditing functionality for good measure. Besides this, Google has a password checkup function that works with the Google account password manager and checks for reuse against a database of leaked credentials so does Firefox.