Microsoft has revealed that 1 out of 5 Microsoft accounts are now in the hands of hackers, but it's not because of any breach on their end, and those who have been breached have no one but themselves to blame. Instead, users who keep the same account and password across different websites are just asking for trouble.
Microsoft's Eric Doerr says that it's imperitive that this changes, but we kind of doubt that it will; after 15 years of warnings, some people just never learn. Nowadays, though, the problem is growing worse than ever, thanks to high profile breaches like last week's attack on Yahoo.
One of the first things a hacker does with a new account is go test it out on different services, and Doerr says that they manage to use their ill-gotten info to access other accounts about 20% of the time, or one in five accounts.
Think about that. Last month, hackers made off with a whopping 1.5 million LinkedIn accounts and all of their associated information. If those usernames and passwords work on other sites just one out of five times, that's a ginormous number of hacked accounts.
Even in the face of all that, Microsoft is working really hard to keep Hotmail and its associated services as secure as possible. For starters, they work really hard to educate users and make sure that they use good security practices to begin with, but if that fails, there are alternatives:
...we look to see if there is evidence of criminal activity, like sending spam. If we do see signs of criminal activity, we suspend the account and ask the rightful owner to go through account recovery to regain control.
Occasionally we get information about a set of customers, but there isn’t enough account information to identify who has reused passwords and is therefore at risk. Then we have a judgment call – do we ask 100% of those customers to reset their passwords, even though only 20% are probably at risk? Or do we leave the 20% at risk to avoid inconveniencing the 80%? Where there is a credible threat, the answer is simple – we err on the side of protecting customers...
This is done in an automated and secure way so no human actually sees the account info of our customers.
We know that most Neowin users a pretty savy, so hopefully we don't need to remind you to be careful when it comes to surfing the web, but we're still going to: seriously, trust no one and take no prisoners when it comes to security. And be glad that Microsoft cares enough to store their passwords as something other than .txt files.