Watch Out: 99.9 Percent of Hacked Microsoft Accounts Don’t Use 2FA

The Microsoft sign in front of the company's headquarters.VDB / Shutterstock photos

Two-Factor Authentication (2FA) is the most effective method to prevent unauthorized access to an online account. Need to convince? Take a look at these jaw-dropping numbers from Microsoft.

The difficult numbers

In February 2020, Microsoft gave a presentation at RSA Conference titled “Breaking Password Dependencies: The Last Mile Challenges at Microsoft”. The whole presentation was fascinating if you want to know how to secure user accounts. Even though that thought numbs your mind, the statistics and numbers presented were incredible.

Microsoft tracks over 1 billion active accounts each month, which nearly one-eighth of the world’s population. These generate over 30 billion monthly login events. Each login to an O365 corporate account can generate multiple login entries across multiple apps, as well as additional events for other apps that use O365 for single sign-on.

If this number seems large, keep in mind that Microsoft stops 300 million fraudulent login attempts every day. Again, it is not per year or per month, but 300 million per day.

In January 2020, 480,000 Microsoft accounts, or 0.048% of all Microsoft accounts, were compromised by spray attacks. This is when an attacker executes a common password (like “Spring2020!”) Against lists of thousands of accounts, in the hope that some of them will have used that common password.

Sprays are just one form of attack; hundreds and thousands more have been caused by credential stuffing. To perpetuate them, the attacker buys usernames and passwords from the dark web and tries them on other systems.

Then there is Phishing, that is, when an attacker convinces you to log into a fake website to get your password. These methods are the way online accounts are generally ‘hacked’, in everyday language.

In total, over a million Microsoft accounts were breached in January. That’s just over 32,000 compromised accounts per day, which sounds bad until you remember the 300 million fraudulent login attempts stopped per day.

But the most important number of all is that 99.9% of all Microsoft account violations would have been stopped whether the accounts had two-factor authentication enabled.

RELATED: What should you do if you receive a phishing email?

What is two-factor authentication?

As a reminder, two-factor authentication (2FA) requires an additional method to authenticate your account rather than just a username and password. This additional method is often a six-digit code sent to your phone by SMS or generated by an application. You then enter this six-digit code as part of the login procedure for your account.

Two-factor authentication is a type of multi-factor authentication (MFA). There are other MFA methods as well, including physical USB tokens that you plug into your device or biometric scans of your fingerprint or eye. However, a code sent to your phone is by far the most common.

However, multi-factor authentication is a broad term – a very secure account might require three factors instead of two, for example.

RELATED: What is two-factor authentication and why do i need it?

Would 2FA have stopped the violations?

In spray attacks and credential jamming, attackers already have a password – they just need to find the accounts that use it. With phishing, attackers have both your password and your account name, which is even worse.

If multi-factor authentication had been enabled for Microsoft accounts that were breached in January, just having the password wouldn’t have been enough. The hacker also reportedly needed to access the phones of his victims to obtain the MFA code before he could log into these accounts. Without the phone, the attacker would not have been able to access these accounts and they would not have been breached.

If you think your password is impossible to guess and you’ll never be the victim of a phishing attack, let’s dive into the facts. According to Alex Weinart, principal architect at Microsoft, Your password Actually whatever when it comes to securing your account.

This doesn’t just apply to Microsoft accounts – every online account is just as vulnerable if it doesn’t use multi-factor authentication. According to Google, MFA stopped at 100% automated robot attacks (spray attacks, credential stuffing and similar automated methods).

If you look at the bottom left of the Google search table, the “Security Key” method was 100% effective in stopping automated bots, phishing, and targeted attacks.


So what is the “Security Key” method? It uses an app on your phone to generate an MFA code.

While the “SMS Code” method was also very effective – and it’s absolutely better than not having an MFA at all—An app is even better. We recommend Authybecause it’s free, easy to use, and powerful.

RELATED: Two-factor SMS authentication isn’t perfect, but you should still use it

How to activate 2FA for all your accounts

You can activate 2FA or another type of MFA for most online accounts. You will find the setting in different places for different accounts. Usually, however, it can be found in the account settings menu under “Account” or “Security.”

Fortunately, we have guides that explain how to enable multi-factor authentication for some of the more popular websites and apps:

MFA is the most effective way to secure your online accounts. If you haven’t already, take the time to activate it as soon as possible, especially for critical accounts like email and banking.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.