One in five hacked logins match Microsoft Accounts

About 20 percent of compromised credentials, exposed via hacks on other service providers, match Microsoft Account logins due to password reuse
Written by Tom Espiner, Contributor

Around 20 percent of the logins found on lists of compromised credentials match those of Microsoft Accounts due to consumers using the same login details across more than one service, the company has said.

The lists are circulated by organisations and hackers in the wake of attacks on third-party service providers.

People re-use passwords and login details across services from different providers, Microsoft Account group manager Eric Doerr noted in a blog post on Sunday. That reuse means that if one set of logins is compromised, other accounts are at risk.

"These attacks shine a spotlight on the core issue — people reuse passwords between different websites," said Doer, speaking after the Yahoo breach last week that exposed 400,000 user details. "On average, we see successful password matches of around 20 percent of matching usernames."

Doer revealed the figure in a run-down of some Microsoft Account security practices, meant to reassure customers after the Yahoo hack. Microsoft Account is a single sign-on tool for Microsoft services such as SkyDrive, Hotmail, Xbox and Messenger.

Comparing lists

Microsoft regularly gets lists of compromised third-party login details from ISPs, law enforcement and vendors, as well as from lists published on the internet by hackers, according to Doerr. This information is checked against Microsoft login details using an automated process to check for any overlap. While 20 percent is the average, in one recent breach it was only 4.5 percent, said Doerr.

After a hack attack on another provider, Microsoft monitors its user accounts to see if they are being used to send spam. If it sees signs of criminal activity, it suspends the account, and the affected customer has to go through an account recovery process before being able to log in again.

If Microsoft suspects, but is not certain, that there has been a breach, it will ask customers to reset their passwords.

The company also uses behavioural monitoring technology similar to that used by banks to log patterns of access and location, to see if an attempted login is suspicious. The technology can block the attempt, or ask an additional identity question to decide whether to grant access.  

Tightening security

The Microsoft Account team is working on tightening up security, Doerr said. The current 16-character limit on password length is set to increase, to make brute force attacks more difficult, for example. However, Microsoft is having problems making passwords longer because of its ecosystem, he noted.

"Unfortunately, for historical reasons, the password validation logic is decentralised across different products, so it's a bigger change than it should be and takes longer to get to market," Doerr said.

Yahoo, Gmail, Hushmail, Yandex and MyOperaMail all allow passcode lengths of 30 characters, as one Microsoft account holder, MondayBlues, pointed out in a comment.

Doerr noted that people using SkyDrive device-synchronisation software and buying products on Xbox.com are required to use two-factor authentication. Microsoft is working on implementing this security measure in more products and services, he said, but did not specify which.

Updated: This article was updated at 5.22pm BST after clarification from Microsoft.

Editorial standards