99.9% of compromised Microsoft accounts did not use multi-factor authentication

Published by at

An interesting stat came out of the recent RSA conference in South Africa last week: almost all compromised Microsoft accounts (so outlook.com, live.com etc.) didn't have any multi-factor authentication. By which I mean (mainly) phone or authenticator codes to approve logins. Flipping the statistic on its head implies that if you do have multi-factor authentication then you're safe. Though there are still caveats, I'd argue, such as not publicising a phone number that's used for extra authentication, in case someone tries their luck pretending to be you on the phone to your network provider, to 'SIM jack'. But any form of multi-factor is way, way better than none. And it goes without saying that a complex password is way better than something simple, something common, or something used on other accounts that you own.

Anyway, from ZDNet:

Speaking at the RSA security conference last week, Microsoft engineers said that 99.9% of the compromised accounts they track every month don't use multi-factor authentication, a solution that stops most automated account attacks. The cloud giant said it tracks more than 30 billion login events per day and more than one billion monthly active users. Microsoft said that, on average, around 0.5% of all accounts get compromised each month, a number that in January 2020 was about 1.2 million.

While all account hacks are bad, they are worse when the account is for enterprise use. Of these highly-sensitive accounts, only 11% had a multi-factor authentication (MFA) solution enabled, as of January 2020, Microsoft said.

In most cases, the account hacks happen after rather simplistic attacks. The primary sources of most hacks of Microsoft accounts was password spraying, a technique during which an attacker picks a common and easy-to-guess password, and goes through a long list of usernames until they get a hit and can access an account using said password.


The second source of account hacks, Microsoft said, was password replays, a technique that involves an attacker taking credentials leaked at another company and then trying the same credentials on a Microsoft account, hoping the user reused usernames and passwords.

I'll bet that most AAWP readers are tech-savvy enough (by now) to have implemented multi-factor authentication on all important accounts in their lives. But the RSA keynote is still a sobering reminder.

Source / Credit: ZDNet