Security → One in five Microsoft accounts controlled by hackers

Tyler Holman yesterday

Microsoft has revealed that 1 out of 5 Microsoft accounts are now in the hands of hackers, but it's not because of any breach on their end, and those who have been breached have no one but themselves to blame. Instead, users who keep the same account and password across different websites are just asking for trouble.

Microsoft's Eric Doerr says that it's imperitive that this changes, but we kind of doubt that it will; after 15 years of warnings, some people just never learn. Nowadays, though, the problem is growing worse than ever, thanks to high profile breaches like last week's attack on Yahoo.

One of the first things a hacker does with a new account is go test it out on different services, and Doerr says that they manage to use their ill-gotten info to access other accounts about 20% of the time, or one in five accounts.

Think about that. Last month, hackers made off with a whopping 1.5 million LinkedIn accounts and all of their associated information. If those usernames and passwords work on other sites just one out of five times, that's a ginormous number of hacked accounts.

Even in the face of all that, Microsoft is working really hard to keep Hotmail and its associated services as secure as possible. For starters, they work really hard to educate users and make sure that they use good security practices to begin with, but if that fails, there are alternatives:

»www.neowin.net/news/one- ··· -hackers

Define: ginormous
(heh. look at the first example.)

Go see the TSA
»sanfrancisco.cbslocal.co ··· -at-sfo/

lol @ NG's analogy and other wording ...

said by MicroSoft :

---

Even in the face of all that, Microsoft is working really hard ...

---

I think this whole thread is going to come to a head when the real hotmale stands up to be counted..."but if that fails, there are alternatives:"

My turn to Rant about this.

As the article states after 15 years of telling people not use the same username and password on multiple sites, users continue to do this (hence why they are referred to as users). Thats not to say that we should not continue to educate our users that this is bad practice.

Since users are not going to change their ways anytime soon, then it is up to the sites that are forcing users to use username/password, to make reasonable steps to protect this data. Storing passwords in plain text (yahoo accounts last week) or with unsalted weak encryption (linkedin) does NOT consitute reasonable steps, and these companies should be held accountable. At this point these companies are playing the "we were hacked" victim role and are basically getting a free pass.

To take this a rant a little further. Before we fully blame users for using the same username/password combo on multiple sites. How many of the ACCOUNTS actually belong to a real user? Looking at the trends of some of the recently revealed leaked passwords, I fully suspect there are not a lot of users that use ninja (just one example) as a password. I suspect that a lot of these accounts with easy to remember passwords are accounts that are actively or will be actively used in the future for non legit purposes.

Why this will continue to happen:
1. Most users don't know the dangers (or plain don't care)
2. Most companies are interested in the Bottom line, and security cost money which has a negative effect on the bottom line.
3. I have run into several dozen C?O's over the 20 years I have been in the IT world that still believe to this day that this will never happen to their company. And several of them have stated on the record that security impedes the day to day actitives of their users and they would rather have their users productive than ensure their data is secure.

Interesting..Thanks for Your insight and experience.

I'm not sure it's possible to understate the amount of accounts compromised via a common password across different domains.
Years ago I suggested a server side small fix that went absolutely nowhere but I still believe if security can past marketing & to a smaller degree legal depts. it would help.
As a matter of the TOS, allowing a provider to ping any associated online account using the same password used by the customer on their domain would eliminate that security hole by not allowing a new account creation or continue to happen for an existing account where there was a successful cross domain login until a unique password is chosen.

They suspected he was hiding something in his pants! They were right, he did.

How many sites require your email address as your user name?
Microsoft live id, Adobe, buzztouch, oracle, vmware, facebook, google, logitech, hp shopping

VMWare? Their forums do not use an email address for your user name nor do Microsoft's, etc. but Microsoft's LiveID does but what is that needed for? The only thing I use that for is accessing my profile to change my newletter subscriptions. Dell doesn't use your email address for shopping. I don't have Facebook or Google accounts so I don't know what they do. I don't find many sites that use an email address as the user name.

I believe the point of the OP was that just about every site uses an email address for password recovery.
All too often a mailbox will reference a site with the next step being using the password recovery of that site to obtain a login token.

Vmware..
»www.vmware.com/resources ··· er/login

I find many that do..

»windowsteamblog.com/wind ··· =twitter

I think this is the biggest issue of all. On one hand in a perfect world passwords would be 16char and backed up by an authenticator dongle(guess the proper term is RSA key).. problem is people recycle UIDs and PWs because they want things to remember.