Multi-Factor Authentication leads to Microsoft Account Breach

Multi-Factor Authentication: The Devil Is In The Details

( 2 min read )

Hackers attacked more than a million Microsoft Accounts !

If you need any more affirmation that your organisational security is indeed in your hands, then this case study is for you. Towards the beginning of the year, a shocking number of cases came to light, in which 1.2 million Microsoft accounts had been compromised. The thing to be most worried about? All 1.2 million users had fallen victims due to the same mistake. And no, it is not something Microsoft, tech giant that it is, could’ve mitigated by improving their security features. It’s something actually something pretty basic: multi-factor authentication.

Incident Report

At the prestigious RSA Conference, where the top leaders of security gather to talk shop, it became clear that all the Microsoft Accounts that had been hacked had one thing in common: they had overlooked Multi-Factor Authentication. The rate of such security breaches for Microsoft has been a meagre 0.5%, and it was definitely a cause for an investigation when the number suddenly struck 1.2 million. The investigation revealed that only 11% of the users had enforced MFA on their accounts in the month the compromise took place. Officials behind the study declared that a majority of the account holders could have saved themselves from the attack, had they implemented multi-factor authentication.

The modus operandi of the attackers had been a combination of password spraying and password relay. Password spraying is a brute force attack on multiple user accounts, where the attacker tries entering with a bunch of commonly used passwords. In password relay attacks, the hacker, having gained access to one of the services the victim is subscribed to, uses the same password for other services.

The obvious defence against these attacks is simple: don’t use easy to guess passwords and don’t use the same password across multiple accounts/services. But each to her/his own. People have their own personal password policies. It depends on how many accounts they need to handle, how many of those are business, how many personal etc. We certainly cannot rely on the mind to remember such a vast repository of credentials. Obviously, there is a certain risk involved in storing it on disk, much more so on a piece of paper. Furthermore, suppose your password is bulletproof. What’s to stop someone from clicking on “Forgot Password?” links and trying to change it? This is exactly why security institutes introduced technologies like multi-factor authentication.

What is Multi-Factor Authentication?

MFA is an additional layer of security that envelops your credentials. It is an authentication protocol that works on the OTP concept. Here, on logging into an MFA account, you get an OTP to either your phone number or email. This OTP is mandatory to insert before you can get access to your service. MFA has slowly become an integral part of almost all channels that require you to register an account. Also, you should definitely enable it not just for yourself but for all your employees and business accounts as well.

Looking for a trusted vendor of Microsoft Products?

Logix Infosecurity has been a Gold Partner and Cloud Service Provider. In that capacity, Logix provides its own security functionality in addition to the hefty protection layers that Microsoft itself offers. Less risk, more security! You can find more details on our Office 365 Service Page.

One thought on “Multi-Factor Authentication: The Devil Is In The Details

Leave a Reply

Your email address will not be published. Required fields are marked *