Millions of Microsoft users are placing themselves under unnecessary risk, by using login credentials stolen in previous security breaches at other online services.
According to the Redmond software giant’s analysis, 44 million users have been using compromised usernames and passwords between January and March this year.
Microsoft said it came to these numbers by analysing a database of more than three billion leaked credentials. The database was pooled from multiple sources, including public databases and law enforcement, and the accounts then scanned.
Scanning allowed Microsoft to see who reused the same login credentials across different online services and came to the number of 44 million, which include both regular user accounts and Azure AD accounts.
"For the leaked credentials for which we found a match, we force a password reset. No additional action is required on the consumer side," Microsoft said. "On the enterprise side, Microsoft will elevate the user risk and alert the administrator so that a credential reset can be enforced," it added.
Microsoft has a pretty strict password policy and recommends its users to turn in two-factor authentication. However, no matter how strong a password is, if it gets used somewhere else, and that other service gets breached – there’s nothing Microsoft can do about it.
Poor password hygiene, which includes weak and obvious passwords (such as passw0rd, 12345678 or iloveyou) and password reuse, is one of the main reasons for data breaches and stolen credentials.