One in five hacked logins match Microsoft Accounts

One in five hacked logins match Microsoft Accounts

Summary: About 20 percent of compromised credentials, exposed via hacks on other service providers, match Microsoft Account logins due to password reuse

TOPICS: Security, Microsoft

Around 20 percent of the logins found on lists of compromised credentials match those of Microsoft Accounts due to consumers using the same login details across more than one service, the company has said.

The lists are circulated by organisations and hackers in the wake of attacks on third-party service providers.

People re-use passwords and login details across services from different providers, Microsoft Account group manager Eric Doerr noted in a blog post on Sunday. That reuse means that if one set of logins is compromised, other accounts are at risk.

"These attacks shine a spotlight on the core issue — people reuse passwords between different websites," said Doer, speaking after the Yahoo breach last week that exposed 400,000 user details. "On average, we see successful password matches of around 20 percent of matching usernames."

Doer revealed the figure in a run-down of some Microsoft Account security practices, meant to reassure customers after the Yahoo hack. Microsoft Account is a single sign-on tool for Microsoft services such as SkyDrive, Hotmail, Xbox and Messenger.

Comparing lists

Microsoft regularly gets lists of compromised third-party login details from ISPs, law enforcement and vendors, as well as from lists published on the internet by hackers, according to Doerr. This information is checked against Microsoft login details using an automated process to check for any overlap. While 20 percent is the average, in one recent breach it was only 4.5 percent, said Doerr.

After a hack attack on another provider, Microsoft monitors its user accounts to see if they are being used to send spam. If it sees signs of criminal activity, it suspends the account, and the affected customer has to go through an account recovery process before being able to log in again.

If Microsoft suspects, but is not certain, that there has been a breach, it will ask customers to reset their passwords.

The company also uses behavioural monitoring technology similar to that used by banks to log patterns of access and location, to see if an attempted login is suspicious. The technology can block the attempt, or ask an additional identity question to decide whether to grant access.  

Tightening security

The Microsoft Account team is working on tightening up security, Doerr said. The current 16-character limit on password length is set to increase, to make brute force attacks more difficult, for example. However, Microsoft is having problems making passwords longer because of its ecosystem, he noted.

"Unfortunately, for historical reasons, the password validation logic is decentralised across different products, so it's a bigger change than it should be and takes longer to get to market," Doerr said.

Yahoo, Gmail, Hushmail, Yandex and MyOperaMail all allow passcode lengths of 30 characters, as one Microsoft account holder, MondayBlues, pointed out in a comment.

Doerr noted that people using SkyDrive device-synchronisation software and buying products on are required to use two-factor authentication. Microsoft is working on implementing this security measure in more products and services, he said, but did not specify which.

Updated: This article was updated at 5.22pm BST after clarification from Microsoft.

Topics: Security, Microsoft

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • One Password to Rule them All

    Accounts, that is.
    William Farrel
    • That's a Wilie Farrel rule, folks

      That way you get to be as pwned as he is.
  • Wow... this is crappy reporting

    The blog said:
    When a non-Microsoft site is breached and a list of made available, of THE ACCOUNTS that actually MATCH UID in the two systems, that about 20% of those users would have matching passwords. Tom Espiner apparently was not much on math, but please try to at least report some decent facts...

    Seems these numbers would apply the same to GMail, Yahoo or anyone....
    • Wow... this is crappy commenting on reporting

      The commenter said:
      Seems these numbers would apply the same to GMail, Yahoo or anyone...

      Maybe more important things like your bank account, credit card, bill pay...

      Who would care if they got 50 phonecalls in an hour from people laughing at them for getting their FB account hacked due to a keylogger getting their Yahoo email? I wouldn't and I sure the people I call and laugh at don't appreciate it either.
      • Pot and Kettle...

        [quote]I wouldn't and I sure the people I call and laugh at don't appreciate it either.[/quote]

        You were saying?

        In this day and age, the only way to truly protect one's identity and that of their family is really very simple. It's also the same answer for piracy and intellectual property theft; stay offline.

        I am not going to remember five million passwords and usernames for each and every product I use. Does that mean I'm linked up to my bank by the same username/password?

        I'm a lot of things, but I am not that stupid.
        • Stay offline

          I do stay offline, and off the grid. Fortunately for me, no one could spell my name in the first place except one. On line, on this toy the internet, everything is make believe especially my identity, a nom de plume so to speak. I too am not going to remember all those logins and passwords. The only unique, complicated one, and the one never 'remembered' by browser is the bank one.
    • This is pure FUD!

      This article intentionally leads people to believe that Microsoft is somehow at fault, when the dummies who reuse passwords are actually at fault. What's more is that you need a user name and a password. It takes a special kind of stupid, to use the same user name and pass over and over.

      The article should have been titled: 1 out of 5 people use the same password on more than one site. This has nothing to do with Microsoft other than the fact that they made mention of the phenomenom.
    • Use two phases authentications

      I use Gmail and other Google services 's two phases authentications since a few months and I am very happy. I have not missed a single SMS when I loged in. I believe that everyone should opt for this security enhancemement.
      • two-step or two-factor authentication

        I would have to agree. Ultimately the fact is passwords (strong or not) do not replace the need for other effective security control. People need to understand that neither the strength of your password or having it locked-up in Fort Knox will mean anything when it is stolen from the source! The only real solution is to add additional layers of authentication for access and transaction verification without unreasonable complexity and this will of help to their customers if they implement some form of a two-step or two-factor authentication were you can telesign into your account and have the security knowing you are protected if your password were to be stolen.
        • agreed with 2step/2phase/2factor but...

          Its a matter of time before bots and such can steal those as well and thus the vicious cycle repeats. I agree with dual layer of verification but the real issue isn't reusing passwords or the number of layers, its the compromised system in which one uses to login. The real source aside from the person who initial introduced the source to cause the compromised.

          I use one password for banking, one password for personal emails, one password for forum/blog sites (suchs as this which are attached to a separate "dummy/trash/spam mail" email). That being said, some will say I'm not bright or dumb or what every for doing that. I disagree, here's why.

          Desktops are a dime a dozen now, so having a 10yr old Pen4/512mb system with just (in my case) WinXP sp3 with adobe reader and nothing else (well a physical connected printer) used for bills only has a higher chance of Not becoming compromised. Its only on and hits the internet to pay the bills and get its software security updates during that time.

          Another old system for personal emails (financial stuff) setup in the same manner. The last system (newest i7 with 6gb) for all other stuff/junk. Now, out of all the accounts I have using same passwords for a group, the password for the dummy/blog emails have been stolen before and that's because I used other peoples systems. No harm done as no real info can be gathered other than email, pass, ip address and system. The other two systems and email accounts attached to those are fine, no spam (except from the companies the bill people share it with) or nothing, just as I expected. Not worrying about the crazy off the wall blue pill stuff. I'm currently setting you a new beast system to run VMs on to cut down on the physical hardware.

          So, the point of all that was to say, the best security is to limit a system function next to not ever getting online. Most "normal" people like a "one stop shop" system and that in itself is part of the problem. Next to:
          *allowing browser to save login info
          *having a lot of plugins running or installed
          *allowing the browser to save a lot of temp internet files and cache
          *not clearing the cookies or history
          *and more
          Browse in private will cut your chances down in having passwords stolen. In some cases flash and java try to store crap on the drive and if a site requires it to view, I hit the mobile version of the site. Now this is just the browser side of it, I wont go deep into the Virus Protection side. Just have a good reliable one with backup scanning software and keep them current. I use McAfee, Windows Defender and Malwarebytes on email sys, Microsoft Security Essentials & Malwarebytes on bills and TrendMicro, Defender and Malwarebytes on all other system.

          If your wondering how I buy things, I use paypay but if it requires me to sign in now through their site and not login through paypay first then attach items like ebay later, I use a greendot visa card that will have at most $150 on it. Yes, it may sound like a lot of work but I take my security & privacy serious and just dont rely on other things to protect my info.
          Free Webapps
          • forgot to add

            I my girlfriend (an crapple sheep) uses a mac book pro for all her internet related stuff and a few of her emails (junk accounts) passwords were stolen as she said she has been getting emails from herself about watches and I have been getting suspicious crap from her in my junk account. So Macs aren't any safer either!
            Free Webapps
  • not again

    microsoft has not windows safe banks and companys like google and gmail and the gov and more have not keep us safe they can not any more they do not know how so i say back your stuff in a ex hard drive and not online at all it is safe
    • Back up to external HD

      Just did that, last night. Also copy the files as well so you can look at them.
  • Why security where none is needed?

    Much ado about nothing. Everyone wants a login and password, yet nothing that the user might put on the site needs more protection than if it were placed on a billboard next to the Interstate. I have a ton of very weak logins and passwords, but they are for sites that I would be just as happy using without any login or password protection. Because of the overuse of security where none is needed, that overuse contributes to password dilution and mismanagement. If secure login and passwords were restricted to those locations where security is actually a valid requirement we would not see this sort of problem.
    John Ellingson
    • How could we tell...

      That this is johne37179 posting or some imposter?
      • Who would care if that is johne37179 or not?

        I don't know that person, you don't, I'm sure ZD does. So if someone figures out his username and password and comes here and is a troll, wing-nut, zealot, or whatever and publishes crap, first, how would that be notable and second who other than johne37179 is damaged? He might be embarrassed but he is anonymous.
        His point, and I agree, is that there are far too many web sites that demand what I would call gratuitous accounts (so username and password) to do stupid things like download free Windows drivers. There is no justification for that for what are usually totally free files or information so why would someone waste another good username and password at that site? I have what I call a garbage password, which I sometimes make a little hard to figure out (say by 'Satan'), and that is what I use where it would be irrelevant for someone to log in as me, so for example to download tons of free Windows drivers.
        Now of course for my email accounts, PayPal, ebay, and my online banking site, among others, I do have reasonable passwords, and it's hard enough to keep those important ones straight without pandering to stupid web sites that insist that I create an account with them for reasons that make no sense.
        • Why so many username/password?

          They want your personal details. You share with them your loginname/password, they sell that for attempts at other sites. Some sites ask you for other information as well, that they have absolutely no business to know.
    • Why security where none is needed?

      Congratulations, you contribute to the problem.
      • @User name not displayed (x2):

        Contribute? How so? I suspect he was referring to some sites who require a login just to go beyond their front page and I'm not talking about corporate, copyright or 'pay-sites' either.
        • lol

          He contributes because he thinks he is qualified to determine when there should and should not be security measures such as a username and password put in place when he clearly does not understand the implications.

          Since you had to ask, you obviously don't either. Sorry, not trying to be rude, I just seem to be lacking the ability of finding a nice way to say it.