Microsoft Finds Password Security Problem Affecting 44 Million Users
Friday, December 6, 2019
After analyzing a database containing 3 billion leaked credentials from security breaches, the Microsoft threat research team determined more than 44 million user accounts had a serious security problem. Here's what you need to know.
Mitigating the Microsoft password reuse risk
As far as the leaked credentials that the threat research team found during this analysis are concerned, Microsoft has confirmed that consumers need to take "no additional action," as it has already forced a password reset. This will come as a great relief to those worried about their Office, OneDrive, or Xbox services. The situation is less straightforward for business users. Microsoft stated that it would "elevate the user risk and alert the administrator," for enterprise accounts, with the administrator then having to ensure a credential reset is enforced. The reused credentials statistics were not broken down into consumer and enterprise accounts, so it's not clear as to how many businesses could be impacted by this.
"As with the recent HackerOne incident, humans remain the weakest link in every organization," Ilia Kolochenko, CEO of ImmuniWeb, said, "Microsoft’s campaign to augment account security serves as a great example to other vendors."
More password security advice for Microsoft users
The Microsoft report goes on to say that it's "critical to back your password with some form of strong credential," and suggests that Multi-Factor Authentication (MFA) is a recommended mechanism to achieve this. "Our numbers show that 99.9% of identity attacks have been thwarted by turning on MFA," the report stated. Unfortunately, as Kolochenko said, while "Two (2FA) and Multi-Factor Authentication (MFA) can considerably reduce those risks, most users regard these as irritating inconveniences and would rather deactivate them whenever possible."
For the average consumer and smaller businesses, I always suggest that password managers are the baseline security measures that should be in place. Not only do these make it easy to use a secure, random and complex password for every account and site you use, but most have password auditing functionality for good measure. Google has a password checkup function that works with the Google account password manager for example and checks for reuse against a database of 4 billion leaked credentials, and Firefox has also added a compromised password warning feature. Read Full Article
ZDNet: HackerOne verliert vertrauliche Fehlerberichte seiner Kunden
SiliconANGLE: Bug bounty startup HackerOne suffers breach after analyst mistake