Microsoft has confirmed that 44 million account details have been leaked. If your details were published online, you will need to change any other accounts that use the same email address and password combination – since hackers will be able to login to any with the same details.
That could leaves users’ social media accounts, email address, or worse yet, bank details vulnerable to cybercriminals.
And that’s not the only thing Microsoft users have to worry about at the moment. The US company has pushed-out a new update out of the door designed to protect Microsoft Office users from hackers who could take-over their PC thanks to a glitch in the software.
The vast leak of 44 million details was first unearthed by Microsoft’s threat research team. They carried out a routine scan of all Microsoft accounts between January and March – these details were then compared with a database of more than three billion sets of leaked login credentials. Out of the three billion or more, Microsoft got 44 million matches. It’s unclear how these email address and passwords were stolen and published online.
However, it could’ve been any number of popular attacks we’ve seen hackers resort to within the last few years. For example, earlier this month, Android users were warned about a dangerous new malware strain called Strandhogg, which mimicked the login page of certain banking apps to siphon-off key details. Ploys like this could be used to steal crucial login details, which could match those used to access their Microsoft account.
According to Microsoft, the 44 million accounts are a mixture of consumer accounts and enterprise accounts in the form of Microsoft Azure logins.
Following the revelation, Microsoft issued the following statement: “For the leaked credentials for which we found a match, we force a password reset. No additional action is required on the consumer side … On the enterprise side, Microsoft will elevate the user risk and alert the administrator so that a credential reset can be enforced.”
It’s worth checking your email to see if Microsoft has informed you about a hard-reset on your Microsoft account password – a sigh that your details were exposed.
The Redmond-based company goes on to recommend, “Given the frequency of passwords being reused by multiple individuals, it is critical to back your password with some form of strong credential. Multi-Factor Authentication (MFA) is an important security mechanism that can dramatically improve your security posture.
“Our numbers show that 99.9% of identity attacks have been thwarted by turning on MFA.”
If you’d like to enable a multi-factor authentication method on your Microsoft account – to better guard against hackers using details found online to access your account – you’ll need to head to account.microsoft.com/security and then sign-in with your Microsoft account details.
Tap on the More Security Options on the page, then find the Two-Step Verification option and choose Set Up Two-Step Verification if you’d like to enable the security-boosting feature on your account. Alternatively, if you don’t like the feature, you can disable it by tapping the Turn Off Two-Step Verification option in the same menu.
Just beware, if you decide to enable Two-Step Verification, you’ll always need to have two forms of identification to login (hence the name). This means that if you forget your password, you need two contact methods to allow Microsoft to get in touch with you and reset the login. If you’re having the worst day imaginable and also manage to lose your contact method, your password alone won’t get you back into your account—and it can take you 30 days to regain access, Microsoft warns. In some scenarios, Microsoft could kick you out of your account entirely.
For that reason, the US technology company strongly recommends you have three pieces of security info associated with your account – just in case.