Watch Out: 99.9 Percent of Hacked Microsoft Accounts Don’t Use 2FA
Watch Out: 99.9 Percent of Hacked Microsoft Accounts Don’t Use 2FA: Two-factor authentication (2FA) is the single most effective method of preventing unauthorized access to an online account. Still need convincing? Have a look at these jaw-dropping numbers from Microsoft.
The Hard Numbers
In February 2020, Microsoft gave a presentation at the RSA Conference entitled “Breaking Password Dependencies: Challenges in the Final Mile at Microsoft.” The whole presentation was fascinating if you’re interested in how to secure user accounts. Even if that thought numbs your mind, the statistics and numbers presented were amazing.
Microsoft tracks over 1 billion active accounts monthly, which is nearly 1/8 of the world’s population. These generate more than 30 billion monthly login events. Every login to a corporate O365 account can generate multiple login entries across multiple apps, as well as additional events for other apps that use O365 for single sign-on.
If that number sounds big, bear in mind that Microsoft stops 300 million fraudulent sign-in attempts every day. Again, that’s not per year or per month, but 300 million per day.
In January 2020, 480,000 Microsoft accounts—0.048 percent of all Microsoft accounts—were compromised by spraying attacks. This is when an attacker runs a common password (like “Spring2020!”) against lists of thousands of accounts, in the hopes that some of those will have used that common password.
Sprays are just one form of attack; hundreds and thousands more were caused by credential stuffing. To perpetuate these, the attacker buys usernames and passwords on the dark web and tries them on other systems.
Then, there’s phishing, which is when an attacker convinces you to log in to a fake website to get your password. These methods are how online accounts are typically “hacked,” in common parlance.
In all, over 1 million Microsoft accounts were breached in January. That’s just over 32,000 compromised accounts per day, which sounds bad until you remember the 300 million fraudulent login attempts stopped per day.
But the most important number of all is that 99.9 percent of all Microsoft account breaches would have been stopped if the accounts had two-factor authentication enabled.
What Is Two-Factor Authentication?
As a quick reminder, two-factor authentication (2FA) requires an additional method for authenticating your account rather than just a username and password. That additional method is often a six-digit code sent to your phone by SMS or generated by an app. You then type that six-digit code as part of the login procedure for your account.
Two-factor authentication is a type of multifactor authentication (MFA). There are other MFA methods, as well, including physical USB tokens you plug in to your device, or biometric scans of your fingerprint or eye. However, a code sent to your phone is by far the most common.
However, multifactor authentication is a broad term—a very secure account might require three factors instead of two, for example.
Would 2FA Have Stopped the Breaches?
In spray attacks and credential stuffing, the attackers already have a password—they just need to find accounts that use it. With phishing, the attackers have both your password and your account name, which is even worse.
If the Microsoft accounts that were breached in January had had multifactor authentication enabled, just having the password wouldn’t have been enough. The hacker would have also needed access to the phones of his victims to get the MFA code before he could log in to those accounts. Without the phone, the attacker wouldn’t have been able to access those accounts, and they wouldn’t have been breached.
If you think your password is impossible to guess, and you’d never fall for a phishing attack, let’s dive into the facts. According to Alex Weinart, a principal architect at Microsoft, your password actually doesn’t matter that much when it comes to securing your account.
This doesn’t just apply to Microsoft accounts, either—every online account is just as vulnerable if it doesn’t use MFA. According to Google, MFA has stopped 100 percent of automated bot attacks (spray attacks, credential stuffing, and similar automated methods).
If you look at the bottom left of Google’s research chart, the “Security Key” method was 100 percent effective at stopping automated bot, phishing, and targeted attacks.
So, what is the “Security Key” method? It uses an app on your phone to generate an MFA code.
While the “SMS Code” method was also very effective—and it’s absolutely better than not having MFA at all—an app is even better. We recommend Authy, as it’s free, easy to use, and powerful.
How to Enable 2FA for All Your Accounts
You can enable 2FA or another type of MFA for most online accounts. You’ll find the setting in different locations for different accounts. Generally, though, it’s in the account’s settings menu under “Account” or “Security.”
Fortunately, we have guides that cover how to turn on MFA for some of the most popular websites and apps:
- Apple ID
MFA is the most effective way to secure your online accounts. If you haven’t done it yet, take the time to turn it on as soon as possible—especially for critical accounts, like email and banking.