Why Microsoft hack data means you may need new login, password
If you’ve had a password hacked recently, you’re not alone.
The volume of password attacks has increased to an estimated 921 attacks every second. That’s a 74% increase in one year, according to the latest Microsoft Digital Defense Report.
Big tech firms including Microsoft would prefer the world of passwords to be extinct, and they’ve made changes for an online future less reliant on the vulnerable security step.
Microsoft users can already securely access Windows, Xbox and Microsoft 365 without using a password through apps like Microsoft Authenticator, and technologies including fingerprint or facial recognition. But many still rely on passwords, and don’t even use the two-factor authentication that is now considered critical.
“As long as passwords are still part of the equation, they are vulnerable,” Joy Chik, Microsoft’s vice president of identity, wrote in a September 2021 company blog post.
Here are six ways to stay protected.
Change identical usernames, passwords quickly, and first on key accounts
For convenience, many people use the same username and password across accounts, but that also puts them at significant risk of having their information compromised. Based on a sample of more than 39 million IoT and OT devices, about 20% used identical usernames and passwords, according to the Microsoft report.
If you fall into this category, it’s time to take action. Start by focusing on the biggest risks first — email, finance, healthcare and social media, said Chris Pierson, founder and CEO of BlackCloak, a cybersecurity company that specializes in preventing targeted attacks on company employees and executives.
Telling a person who has many identical website logins and passwords to change them all at once is akin to advising someone to lose 50 pounds by running 20 miles a day and going cold turkey on sweets, he said. A more manageable starting recommendation would be a 15-minute walk once a day around the block and small dietary changes. The same is true when it comes to password protection, Pierson said. “Don’t change every single password you have. Focus on accounts with the highest risk and the most damage.”
Use a password manager to encrypt your data
To keep track of passwords safely and effectively, security experts recommend using a secure password manager such as 1Password or KeePass. The user only needs to remember one long strong password, and the manager stores the others in an encrypted format. Password managers can also be used to generate secure, random passwords that are very difficult to crack. Although it requires trusting a third party, password managers generally do a good job of protecting customer data, said Justin Cappos, an associate professor at the NYU Tandon School of Engineering whose focus includes cybersecurity and data protection.
Choose strong passwords if you don’t want to use random generation
While randomly generated passwords are a best practice, not everyone likes to use them, so at least make sure you’re using credentials that can’t be easily hacked. For example, you could put together four random words like sun, water, computer and chair for one account, and use a different set of four words for another account, said Roy Zur, founder and CEO of cybersecurity training company ThriveDX.
Using the phrase “moneycashcheckbank,” for example, would take a computer about 23 million years to crack, according to a website maintained by Security.org, which reviews security products. In contrast, the password “jesus” can be cracked instantly, while the same word with a capital “J” can be cracked in about 9 milliseconds, according to the website.
Enable multi-factor authentication
Some services such as Apple Pay require this extra layer of security for accounts. Even if a vendor doesn’t require it to be used, multifactor authentication is a valuable security tool that’s underutilized, according to security experts.
The idea behind multi-factor authentication – which requires two or more pieces of identifying information – is to make it harder for criminals to infiltrate your accounts. Hackers target the weakest link “and your role is not to be the weakest link,” Zur said.
For these purposes, it is advisable to use an app like Google Authenticator or a hardware token like a YubiKey, instead of SMS, whenever possible, Cappos said. That’s because SMS is vulnerable to SIM switching and other hacks. “It’s not difficult for a motivated hacker to get around SMS,” he said.
Google Voice eCommerce scam shows why you should never share a password
This is a problem that happens all too often, according to the Identity Theft Resource Center’s 2022 Business Impact Report. When asked about the root cause of an account takeover, 45% of companies said someone clicked on a phishing link or shared account credentials with someone claiming to be a friend; 29% said someone shared account credentials with a hacker claiming to be a potential customer, supplier or prospect.
“Passwords are like chewing gum. People shouldn’t share,” Cappos said.
Likewise, never give out a one-time code — even when scammers make their reason for sharing seem legitimate, said Eva Velasquez, president and CEO of the Identity Theft Resource Center.
An increasingly common scam is where fraudsters pose as interested buyers on online marketplaces. They ask a seller to read a one-time code allegedly sent by the buyer, often with the stated purpose of “verifying the seller’s identity and legitimacy,” which draws the victims in, Velasquez said. In reality, it’s a way for hackers to create a Google Voice account linked to the seller’s phone number. This allows scammers to carry out other scams using a Google Voice number that cannot be traced back to them, she said. The scam has become so prominent that the ITRC created an instructional video on how affected consumers can reclaim their number.
Apple or Microsoft contact you? It probably wasn’t them
In addition to passwords or other sensitive information being compromised by clicking on seemingly legitimate links in email, text messages or social media, people also tend to fall hard for tech support scams based on computer pop-ups or phone calls. Hackers may pretend to be from reputable companies such as Apple or Microsoft and offer to help with a security issue they have allegedly identified. Consumers are tricked into allowing unfettered access to their computer, setting in motion the potential for thieves to steal their passwords and other personal data or insist on payment for fraudulent services rendered, Pierson said.
Remember that reputable companies do not randomly contact consumers and offer to help with computer-related problems. Pierson said consumers should not engage with any unknown contact, especially if that person’s information cannot be independently and reliably verified. “Googling a phone number is simply not something we would recommend either,” he said.