44 Million Microsoft and Azure Users Continue to Use Breached Passwords, New Study Finds

44 Million Azure Users Use Compromised Passwords

Online companies and services suffer credential stuffing attacks on a daily basis, and the consequences are often quite severe. The threat is looming, and security specialists won't stop talking about it. Something clearly needs to be done, and to be able to better understand what's going on, security vendors are researching people's password management habits. Unfortunately, the more they do it, the more we realize that credential stuffing is unlikely to disappear any time soon.

Earlier this year, for example, experts from Microsoft tried to learn more about what people do to protect their Azure accounts, and having gone through their findings, we can draw two major conclusions. The first one is that pulling off a successful credential stuffing attack has never been easier. The second one is that users are not completely aware of how horrific the consequences could be.

More than 44 million Microsoft customers found to use previously compromised passwords

Microsoft's study began in January 2019 when the experts took a collection of 3 billion username and password pairs stolen from various online services and platforms. They then tested them against a list of credentials that had been created by Azure AD and Microsoft Services users and found a match for over 44 million accounts.

In other words, back in the first quarter of this year, anyone who had access to the 3 billion stolen login credentials could have easily taken over the accounts of more than 44 million people. This sounds almost too terrifying to be true, and we're pretty sure that some of you have already raised a finger in objection. They may say that getting hold of 3 billion username and password combinations would be next to impossible for your regular cybercrook. Unfortunately, this is far from the truth.

Stolen login credentials are sold on dark web marketplaces and hacking forums for peanuts, and recently, a cybercriminal group made a simple configuration mistake and showed that sometimes, all that stands between a hacker and a massive stash of login data is a simple search query.

All in all, in this day and age, organizing a credential stuffing attack is not very difficult at all, and users' negligence towards password security means that it will, in all likelihood, be very effective. But what can we do to change this?

Microsoft forces a password reset for customers who use compromised passwords

After seeing the figures, Microsoft immediately forced a password reset for all people who had used compromised credentials. By invalidating the breached passwords, it put a rather big obstacle in front of anyone trying to mount a credential stuffing attack on Azure users. Unfortunately, this can never be enough to solve the problem completely.

For one, as another recent study shows, about half the people tend to lightly modify their old passwords when they're forced to update them. And even if they do go through the trouble of creating a new password, chances are, they will then go on and reuse it on other accounts.

Credential stuffing relies on poor password management, and the facts show that people simply don't know how to handle their login data correctly. Awareness is the only thing that can truly turn the tables around. If people know how to properly protect their accounts, and if they're familiar with the tools they have at their disposal, they'll be much more likely to avoid making the same old mistakes.

Unfortunately, although the effort to educate Joe and Joanne Average is immense, Microsoft's study and other similar surveys show that the progress is excruciatingly slow.

December 18, 2019