One in five Microsoft accounts controlled by hackers

Microsoft has revealed that 1 out of 5 Microsoft accounts are now in the hands of hackers, but it's not because of any breach on their end, and those who have been breached have no one but themselves to blame. Instead, users who keep the same account and password across different websites are just asking for trouble.

Microsoft's Eric Doerr says that it's imperitive that this changes, but we kind of doubt that it will; after 15 years of warnings, some people just never learn. Nowadays, though, the problem is growing worse than ever, thanks to high profile breaches like last week's attack on Yahoo.

One of the first things a hacker does with a new account is go test it out on different services, and Doerr says that they manage to use their ill-gotten info to access other accounts about 20% of the time, or one in five accounts.

Think about that. Last month, hackers made off with a whopping 1.5 million LinkedIn accounts and all of their associated information. If those usernames and passwords work on other sites just one out of five times, that's a ginormous number of hacked accounts.

Even in the face of all that, Microsoft is working really hard to keep Hotmail and its associated services as secure as possible. For starters, they work really hard to educate users and make sure that they use good security practices to begin with, but if that fails, there are alternatives:

...we look to see if there is evidence of criminal activity, like sending spam. If we do see signs of criminal activity, we suspend the account and ask the rightful owner to go through account recovery to regain control.

Occasionally we get information about a set of customers, but there isn’t enough account information to identify who has reused passwords and is therefore at risk. Then we have a judgment call – do we ask 100% of those customers to reset their passwords, even though only 20% are probably at risk? Or do we leave the 20% at risk to avoid inconveniencing the 80%? Where there is a credible threat, the answer is simple – we err on the side of protecting customers...

This is done in an automated and secure way so no human actually sees the account info of our customers.

We know that most Neowin users a pretty savy, so hopefully we don't need to remind you to be careful when it comes to surfing the web, but we're still going to: seriously, trust no one and take no prisoners when it comes to security. And be glad that Microsoft cares enough to store their passwords as something other than .txt files.

Via: ZDNet
Source: Microsoft

Report a problem with article
Previous Story

Marissa Mayer is Yahoo!'s new CEO

Next Story

Microsoft back in hot water with the EU after browser ballot screen goes missing

30 Comments

Commenting is disabled on this article.

my hotmail account got hacked once 2 years ago that'll teach me for not changeing the Pword since 2000 it is however an 16 character alpha/numeric/special Pword now so good luck in hacking that within my lifetime

Correct me if I'm wrong, but the source says:


You'd be surprised how often the lists - especially the publicly posted ones - are complete garbage with zero matches. But sometimes there are hits - on average, we see successful password matches of around 20% of matching usernames. A recent one only had 4.5% overlap. This is actually exciting because it means that, on average, 80% of our customers are following safe password practices, and this reflects a growing sophistication in our customers.

sounds to me like 1 in 5 of the people on those leaked email/password lists you can find online actually match a username/password for Live, not that 1 in 5 Live accounts are compromised...and even those that do match, in the article, Microsoft points out that they have those accounts change their password, so it's really a much smaller # that are actually 'controlled by hackers...' the title is extremely misleading IMO

bkellner said,
I'd like to know how do they determine if people use the same username and password across different websites.

When a hacker breaks into a website and leaks a list of username/passwords, Microsoft has software that compares that list to their Live users...if they match, then they + 1 to the number of people who use the same un/pass across diff. websites.

Have none of you people ever heard of LAST PASS? It's so easy to use and crazy secure that NOT using it is just dumb. I remember one long ass strong password that I use on my PC for my last pass vault and nothing else, then you slowly but surely replace the passwords on other sites with randomly generated passwords that even you would never guess in a 100 years.

webdev511 said,
Have none of you people ever heard of LAST PASS? It's so easy to use and crazy secure that NOT using it is just dumb. I remember one long ass strong password that I use on my PC for my last pass vault and nothing else, then you slowly but surely replace the passwords on other sites with randomly generated passwords that even you would never guess in a 100 years.

Or Roboform

I use the same password across multiple sites but there is a method to which passwords I use. For example, sites like this one and The Verge, Facebook and Twitter have the same password. Sites like online ordering (Amazon, New Egg, etc...) use a different password. Lastly sites like banks and credit cards have a third different password. It makes for easy memorization without risking security.

My bank has 3 different passwords. One for log in. One for transactions and one for updating profile. Even if i enter transaction password, the bank texts me an 8 digit high security password in the next screen for the transaction to be successful. So the hackers have to steal my mobile phone or clone my sim to access and transfer funds from my account. Further, my bank forces me to change my password every 2 months.

But true hackers can bypass this security with right loopholes.

Why not use 2 phase authentication like Google, so even if my account is hacked they also need to be able to get to my sms messages for the second verification. Can be a bit of a pita if you have no phone signal but better than losing the account and all the problems that entails.

My Gmail, Live and Paypal accounts share the same password. I figure these services will "never" get hacked (yes i know about Yahoo). Lesser services like forums and stuff share two other passwords. Every 6 months or so I change all three.

The Gmail and Live accounts aren't connected in any way and the only way to retrieve a lost password is by phone. Seems pretty secure

I wish to have a username+password combination for each web service, but the problem is that I can't remember so much passwords.

alxtsg said,
I wish to have a username+password combination for each web service, but the problem is that I can't remember so much passwords.

Write them down in a notepad and keep them in your desk drawer. If someone's stealing them that way then you have bigger problems than password theft.

alxtsg said,
I wish to have a username+password combination for each web service, but the problem is that I can't remember so much passwords.

LastPass
KeePass
1Password
Mac OS X keychain
...

Questions?

GS:mac

Yeah I use KeePass and just keep the database file in a Dropbox sync folder so if something happens to my computer, Dropbox should still have it and vice versa.

As were comparing banks - mine has an internet banking id, secret question I have to answer and something called a secure key. This is a physical device you enter a pin number on, it then generates you an access code to log on, you also have to do this before making a bank transfer to a new person.

So i could give you all the details to log on to my on-line banking and it would still get you no where, you would have to physically obtain my secure key and know the pin number for it.

This is of course NOT what Eric Doerr said - Microsoft found username / password combos *from other networks* that matched ones in their system about 20% of the time, not that all 20% of those corresponding accounts had been "hacked". Bad guys would still have to match up the accounts with an 80% fail rate (remember that Microsoft knows that the account info matches, but the hackers don't), force their way in past security features like location checks, and actually take the time to log in to the accounts. The potential is certainly there, of course, and your account security is only as good as the least secure system you use the same user/password combo on, but Microsoft never said that "1 out of 5 Microsoft accounts are now in the hands of hackers". Sheesh.

My bank makes me use my customer number, and a password with letters and numbers, which needs to be input using a mouse and clicking buttons.

It's so easy to just use the same password on multiple sites and I definitely used to do it. After my Blizzard account got hacked I decided it's probably a good idea to not use the same password for my bank account as I do for my email and less important things, so I fixed that. I do still use the same password for multiple email accounts. I don't have anything that's really sensitive in my email and I'll just change the password on all if one gets compromised.

Stokkolm said,
It's so easy to just use the same password on multiple sites and I definitely used to do it. After my Blizzard account got hacked I decided it's probably a good idea to not use the same password for my bank account as I do for my email and less important things, so I fixed that. I do still use the same password for multiple email accounts. I don't have anything that's really sensitive in my email and I'll just change the password on all if one gets compromised.

You can choose the password for your bank? At my it's given. I can't change it.

thekim said,

You can choose the password for your bank? At my it's given. I can't change it.

Yep, my bank lets me choose my username and password. I have three banks and they all have done this.

Stokkolm said,
I do still use the same password for multiple email accounts. I don't have anything that's really sensitive in my email and I'll just change the password on all if one gets compromised.

Dude, at least choose a different password for email accounts that are linked to Bank Accounts, Paypal, Amazon, Blizzard, etc...

sanke1 said,

You need to change your bank!

I'm not sure. I think so it's ensured that I definitively have a different password for my bank than for every other thing.

Stokkolm said,
It's so easy to just use the same password on multiple sites and I definitely used to do it. After my Blizzard account got hacked I decided it's probably a good idea to not use the same password for my bank account as I do for my email and less important things, so I fixed that. I do still use the same password for multiple email accounts. I don't have anything that's really sensitive in my email and I'll just change the password on all if one gets compromised.

since LiveID goes beyond just email access (and so is google account), I can't imagine setting a common password for it. I have unique passwords for these as well as thigns like paypal, ebay, etc..