Why Microsoft Hack Data Means You Might Need New Logins and Passwords

If you’ve had a password hacked recently, you’re not alone.

The volume of password attacks soared to around 921 attacks per second. That’s a 74% year-over-year increase, according to Microsoft’s latest Digital Defense Report.

Big tech companies, including Microsoft, would rather see the world of passwords eradicated, and they’ve made changes for an online future less dependent on the vulnerable security stage.

Microsoft users can already securely access Windows, Xbox, and Microsoft 365 without using a password through apps like Microsoft Authenticator and technologies like fingerprint or facial recognition. But many people still rely on passwords and don’t even use the now considered essential two-factor authentication.

“As long as passwords are still part of the equation, they’re vulnerable,” Joy Chik, vice president of identity at Microsoft, wrote in a company blog post from September 2021.

Here are six ways to stay protected.

Change identical usernames, passwords quickly and first, on key accounts

For convenience, many people use the same username and password on all accounts, but this also puts them at significant risk of having their information compromised. Based on a sample of more than 39 million IoT and OT devices, around 20% used identical usernames and passwords, according to Microsoft’s report.

If you fall into this category, it’s time to act. Start by focusing on the biggest risks first — email, financial, healthcare and social media sites, said Chris Pierson, founder and chief executive of BlackCloak, a cybersecurity company specializing in preventing targeted attacks against company employees and executives.

Telling someone who has many identical website IDs and passwords to change them all at once is like advising someone to lose 50 pounds by running 20 miles a day and cold turkey on sweets, he said. A more manageable starting recommendation would be a 15 minute walk once a day around the block and small dietary changes. The same goes for password protection, Pierson said. “Don’t change every password you have. Focus on the riskiest and most damaging accounts.”

Use a password manager to encrypt your data

To keep track of passwords safely and efficiently, security professionals recommend using a secure password manager such as 1Password or KeePass. The user only has to remember one long and strong password and the manager stores the others in an encrypted format. Password managers can also be used to generate secure, random passwords, which are extremely difficult to crack. Even if it requires relying on a third party, password managers generally do a good job of protecting customer data, said Justin Cappos, associate professor at NYU Tandon School of Engineering, whose focus is focused on cybersecurity and data privacy.

Choose strong passwords if you don’t use random generation

While randomly generated passwords are good practice, not everyone likes to use them, so at least make sure you’re using credentials that can’t be easily cracked. You can, for example, string together four random words like sun, water, computer and chair for one account, and use another set of four words for a different account, said Roy Zur, founder and chief executive of the online training company. ThriveDX cybersecurity.

Using the phrase “moneycashcheckbank,” for example, would take a computer about 23 million years to crack, according to a website run by Security.org, which reviews security products. In contrast, the password “jesus” could be cracked instantly, while the same word with a capital “J” could be cracked in about 9 milliseconds, according to the website.

Enable multi-factor authentication

Some services such as Apple Pay require this additional layer of security for accounts. Even if a vendor does not require its use, multi-factor authentication is a valuable security tool that is underutilized, according to security professionals.

The idea behind multi-factor authentication – which requires two or more credentials – is to make it harder for criminals to infiltrate your accounts. Hackers target the weakest link “and it’s not your job to be the weakest link,” Zur said.

For these purposes, it’s a good idea to use an app like Google Authenticator or a hardware token like a YubiKey, instead of SMS, whenever possible, Cappos said. This is because SMS is vulnerable to SIM swapping and other hacks. “It’s not difficult for a motivated hacker to bypass SMS,” he said.

Google Voice e-commerce scam shows why you should never share a password

It’s a problem that happens all too often, according to the Identity Theft Resource Center’s 2022 Business Impact Report. When asked about the root cause of an account takeover, 45% of businesses said someone clicked on a phishing link or shared account credentials with someone claiming to be a friend; 29% said someone had shared their account credentials with a hacker pretending to be a potential customer, supplier or prospect.

“Passwords are like gum. People shouldn’t share,” Cappos said.

Likewise, never give out a one-time code, even when scammers make it seem like the reason for sharing is legitimate, said Eva Velasquez, president and CEO of the Identity Theft Resource Center.

An increasingly common scam is where fraudsters pose as interested buyers in online marketplaces. They order a seller to read a unique code allegedly sent by the buyer, often for the stated purpose of “verifying the identity and legitimacy of the seller” that lures victims, Velasquez said. In reality, it’s a way for hackers to create a Google Voice account linked to the seller’s phone number. This allows scammers to perpetrate further scams using a Google Voice number that cannot be traced back to them, she said. The fraud has become so widespread that the ITRC has created an instructional video on how affected consumers can recover their number.

Apple or Microsoft contact you? It probably wasn’t them

In addition to having passwords or other sensitive information compromised by clicking on seemingly legitimate links in their emails, text messages, or social media, people also tend to be hit hard by tech-based tech support scams. on computer pop-ups or phone calls. Hackers may pretend to be from reputable companies such as Apple or Microsoft and offer to help them fix a security issue they have identified. Consumers are tricked into allowing unfettered access to their computers, triggering the opportunity for thieves to steal their passwords and other personal data or insist on payment for bogus services rendered, Pierson said.

Remember that reputable companies don’t randomly contact consumers and offer help with computer-related issues. Pierson said consumers shouldn’t engage with an unknown person reaching out, especially if that person’s information isn’t verifiable by independent and reliable means. “Googling a phone number is just not something we would advise either,” he said.