After a scan of all of the company's user accounts conducted between January and March of this year, the Microsoft threat research team discovered that 44m users are reusing usernames and passwords that were leaked online following security breaches at other online services.
The software giant explained that it scanned user accounts by using a database of more than three billion leaked credentials that it obtained from multiple sources including law enforcement and public databases.
By conducting the scan, Microsoft was able to identify users who had reused the same usernames and passwords across multiple online services. The company explained what it did after it discovered that users had reused usernames and passwords, saying:
- Breaking the credential reuse cycle
- Avira honeypot discovers the most insecure password combination
- Major rise in password-stealing malware detected
"For the leaked credentials for which we found a match, we force a password reset. No additional action is required on the consumer side. On the enterprise side, Microsoft will elevate the user risk and alert the administrator so that a credential reset can be enforced."
Microsoft and other tech giants typically warn users against using weak or simple passwords when creating an account but unfortunately these warnings do not apply when a someone reuses credentials from another service.
While Microsoft checks to make sure that its users are utilizing complex passwords, there is no way for the company to know if a user has reused that password for other services.
After a third-party service suffers a security breach that results in user credentials being leaked online, this also puts a user's Microsoft account at risk even if they have employed a strong password.
To prevent hackers and other malicious actors from taking over your accounts after a data breach, it is highly recommended that you use a unique password for each online service you use.
- We've also highlighted the best antivirus software