Microsoft: 99.9% of hacked people are compromised for one (ridiculous) reason

Surface Pro X display
Surface Pro X display (Image credit: Daniel Rubino/Windows Central)

What you need to know

  • 99.9 percent of compromised Microsoft accounts don't have multi-factor authentication enabled.
  • 1.2 million Microsoft accounts were compromised in January 2020.
  • Microsoft emphasized the risks of not using multi-factor authentication at the RSA security conference last week.

Around 1.2 million Microsoft accounts were compromised in just January 2020, and almost all of them could have been secured by enabling a single setting. According to Microsoft engineers, 99.9 percent of the compromised accounts they track do not use multi-factor authentication. Microsoft discussed account security and the risks of not using multi-factor authentication at the RSA security conference last week (via ZDNet).

At the RSA conference, Microsoft pointed out that it tracks more than 30 billion login events every day. On average, 0.5 percent of accounts get hacked, but with over one billion active users, that means that around 1.2 million accounts were compromised in January alone.

Microsoft emphasized the enterprise risk of not having multi-factor authentication enabled. Enterprise users often have sensitive data on their systems. Despite often holding sensitive data, only 11 percent of enterprise users have multi-factor authentication enabled in January 2020, according to Microsoft.

According to Microsoft, the most common form of attack to hack Microsoft accounts is password spraying. This technique takes easy-to-guess passwords and goes through a list of usernames until an attacker can get into the account.

The second most common method of attack is password replay. With this technique, an attacker takes leaked credentials from another company and tries them with a Microsoft account. It relies on people using the same password across multiple accounts. Lee Walker, Identity and Security Architect at Microsoft, says that 60 percent of users reuse passwords. He also adds, "Don't be confused. People reuse their enterprise accounts in non-enterprise environments."

According to Walker, the vast majority of attacks utilizing password spraying and password replay attack older legacy authentication protocols. Specifically, 99 percent of all password spray attacks and 97 percent of password replay attacks go through legacy authentication protocols. This is because these legacy protocols don't support multi-factor authentication, according to Microsoft. Microsoft states that companies that disable legacy authentication protocols see a 67 percent reduction in compromised accounts.

The easiest solution to reduce security risks, according to Microsoft, is to enable multi-factor authentication. Microsoft states (opens in new tab) that your account is more than 99.9 percent less likely to be compromised if you enable multi-factor authentication.

There's really no excuse not to use multi-factor authentication at this point.

Sean Endicott
News Writer and apps editor

Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at (opens in new tab).

  • Probably people at home don't use two factor authentication to login to their PCs.
    However, at work, some offices probably require two factor to login
  • I use it on nearly all my accounts, and I never worry even if I give my password to the hacker 😅
    Unless the hacker is someone from the neighbourhood 😬😂
  • soon two factor authentication apps will be compromised.... There end up needing to just us something more harder. Plus the Microsoft Authenticate app they have appears to be a disaster. Look at all the poor fellas that can't get there accounts back period.
  • The biggest risk with 2FA is SIM swapping, whereby a hacker calls your cell phone company to transfer the number to another SIM card, and puts it in their phone. Now they can go to your various accounts and use your cell# as 2FA. What we need is 3FA.
  • Its going to end up being eye ratina or finger print as a form of identifaction. The two factor apps are just not good enough.
  • No, all we need is not using 2FA with phone numbers and just use a 2FA app's generated codes. The latter stays on your phone despite what may happen to your Sim.
  • This can be solved with appending a fixed set of numbers in conjunction with the 2FA code. That number need to be remembered. And you choose when setting up the 2FA where to put the fixed numbers after before or middle. I don't understand why the hell these companies still have not implemented this simple thing. This can make accounts and Banking transactions so much more secure.
  • Huh... I was going to guess porn
  • 2FA is well hidden in security or privacy settings of many apps and websites and the process is not well explained on some implementations. Non tech savvy users won't even know it exists or how to use it. Make its mandatory when signing up or prompt the user to set it up immediately after initial sign up with a deadline.
    Have a clear tutorial to set it up.
  • Totally agree with this one. Most websites even popular ones like Facebook, twitter have it hidden buried deep into the settings.
  • 99.9% are compromised because of using an easy to guess password, not because of not using 2FA. This would be a great and sharable article if it had a better title.
  • Just log on localy without any account or jibberish Microsoft account and other useless non sense.
  • This isn't *why* they're hacked. It's an easy way to prevent it, but i can say from personal experience that 2FA is a disaster waiting to happen- ESPECIALLY with a Microsoft account, given Microsoft' anal-to-the-point-of-hindering-the-user security. I lost an account to 2FA when my phone died. I had to get it replaced, and couldn't get the authenticator removed without verifying myself- something that wouldn't work as no matter what i did, Microsoft claimed it 'wasn't enough information to verify my identity'. Bull. S**t. If you use something like Authy you might be safe. But otherwise, i don't think people SHOULD use 2FA- not with Microsoft. With most you can call in and say 'hey, i broke my f*cking phone and can't get into my account' and they'll just 'o-ho-kay!'. Not so with Microsoft.
  • ... Unless you log in multiple times a day and due to heavy virtualuzation, extra security and backup services and a limited service and the of flex office strategy at work, That the pc logs out automatically after 15 minutes, sometimes even 10 minutes, up to 2 minutes login times to virtual accounts, I spent up to an hour a day logging in I could productively be doing work on the pc.
    At the end of the day when waiting and wasting time to login is the real world scenario, I can understand that no excuse two step authentication default is a wonderful utopian thought, but does not reflect true real world every day fluid perforance. I can understand the frustration of wasting time not getting work done. I think it the why is just as important to know as the plain facts as summarized here in this article. I think then the 99.99% would be a whole different story to get to the root of the problems.