Microsoft has used a database of hacked IDs to identify users who reuse them password without worrying about the risks involved. The US giant has identified 44 million users in the first quarter of 2019.

Between January and March 2019, Microsoft conducted a major investigation among its users. For this, the company has used a huge database, which contains no less than 3 billion passwords.

These passwords come from multiple sources and all have the same peculiarity. They have leaked and are easily available on the Web. Microsoft then compared this database with the current account information of its users.


In the end, it turns out that, whether or not they were warned of the hacking of their data, 44 million users still use the same credentials and passwords on different accounts. This figure includes any type of Microsoft service such as Windows, Xbox One, the company's online services, but also Microsoft Azure.

In 2018, a study of 28.8 million accounts explained that the reuse of passwords or superficial changes of the original password was very common and it was found in 52% of users. This same study showed that in 30% of the cases of modified passwords or all the reused passwords, less than 10 attempts allowed a hacker to hack an account. In the same year, another study showed that 59% of Internet users consistently used the same password for all their accounts.

However, Microsoft took the lead and says for credentials that have been leaked and matched, we require a reset of the password. No further action is required on the part of the user.


On the enterprise side, Microsoft will increase the risk for the user and alert the administrator so that a credential reset can be applied. The OS manufacturer has established itself as a strong advocate and developer of multi-factor authentication (MFA) solutions.

Earlier this summer, the company said that activating an MFA security measure for a Microsoft account blocks 99.9 percent of all attacks and that MFA attempts are so rare that its security team even has no statistics on this type of threat. Microsoft generally warns against using weak or easy-to-guess passwords when creating an account, but these warnings do not cover password reuse scenarios.


In fact, Microsoft has no way of knowing if the user has reused the password already used for Microsoft services in other places. Once a third-party service has a security breach and the user's password is stolen and disclosed online, this inadvertently places the user's Microsoft account at risk, despite a strong password. Hackers can take the password disclosed and use it to try to access other user accounts such as Microsoft, Google, Facebook, Twitter, etc. Microsoft calls this a "breakthrough attack".