The Microsoft threat research team scanned all Microsoft user accounts and found that 44 million users were employing usernames and passwords that leaked online following security breaches at other online services.

The scan took place between January and March 2019.

Microsoft said it scanned user accounts using a database of over three billion leaked credentials, which it obtained from multiple sources, such as law enforcement and public databases.

The scan effectively helped Microsoft identify users who reused the same usernames and passwords across different online accounts.

The 44 million total included Microsoft Services Accounts (regular user accounts), but also Azure AD accounts.

"For the leaked credentials for which we found a match, we force a password reset. No additional action is required on the consumer side," Microsoft said.

"On the enterprise side, Microsoft will elevate the user risk and alert the administrator so that a credential reset can be enforced," it added.

The OS maker has been a staunch advocate and promoter of multi-factor authentication (MFA) solutions.

Earlier this summer, the company said that enabling an MFA security measure for a Microsoft account blocks 99.9% of all attacks and that MFA bypass attempts are so rare its security team doesn't even have statistics on this type of threat.

ZDNet