MICROSOFT has issued a stark warning to those who reuse their passwords across multiple online accounts.
In a blog post this week, the US tech titan said it had identified an uptick in the use of “password spray” attacks over the past 12 months.
They involve hackers gathering a list of usernames and passwords leaked online and plugging them in to various websites.
Cyber crooks hope to eventually stumble across a working combination that gives them access to someone’s email or social media accounts.
From there, they can attempt to break into more sensitive accounts such as your bank or iCloud.
The attacks were identified by Microsoft’s Detection and Response Team (DART), which is dedicated to identifying the latest cyber attack methods.
“This threat is a moving target with techniques and tools always changing,” researchers wrote on Tuesday.
“They are different from brute-force attacks, which involve attackers … attempting to attack a small number of user accounts.”
Most read in Phones & Gadgets
The researchers identified two commonly used kinds of password sprays.
One involves matching known usernames to commonly used passwords, such as “password” or “123456”.
The hope is that they will eventually “guess” the correct combination for as many users as possible.
The second technique highlighted by Microsoft involves usernames and passwords that have been leaked online by crooks in the past.
The 2012 LinkedIn hack, for instance, saw the usernames and passwords of 6.5million users stolen by cyber crooks and sold online.
Google estimates that over 4billion username and password combinations have leaked in recent years.
Hackers can plug these combinations into other websites in the hope that you’ve reused them across multiple online accounts.
Microsoft said: “Once attackers have gained the credentials to an account, they can access any sensitive resources that users can access and have the malicious activity appear as normal.
“This creates a repeating cycle attack pattern, where one compromised account can lead to access to resources where additional credentials can be harvested, and thus even further resource access.”
How to check if your passwords are safe
The free Password Checkup software can be loaded onto Google Chrome and lets you know if your account details have been compromised in a cyber attack or data breach.
Once installed, the Chrome extension runs in the background of your browser and checks any login details you used.
If your password or username matches a Google database of more than 4billion compromised credentials, the software will flag them.
An alert that pops up on your screen reads: “Password Checkup detected that your password for [website] is no longer safe due to a data breach. You should change your password now.”
If a new data breach occurs, the tool will let you if any of your passwords were compromised the next time you login to Chrome.
It gives you any exposed accounts in a small list that you can click through to change your passwords.
All information is encrypted, and Google says it has no way of seeing your data.
“We built Password Checkup so that no one, including Google, can learn your account details,” Google said.
“Password Checkup was built with privacy in mind. It never reports any identifying information about your accounts, passwords or device.”
You can download Password Checkup from the Chrome webstore by clicking here.
Alternatively, popular web-tool Have I Been Pwned also lets you check if you’ve ever been hacked.
In other news, Elon Musk is worth a quarter of a TRILLION dollars after Tesla’s stock price shot up this week.
Star Trek’s William Shatner, 90, became the oldest astronaut in history after a trip on Blue Origin rocket earlier this month.
Nasa is gearing up to launch a spacecraft that will crash into as asteroid as part of a trial of a new planetary defence system.
And, check out the wildly impressive Panasonic 65HZ1000 TV, which makes most tellies look rubbish.
We pay for your stories! Do you have a story for The Sun Online Tech & Science team? Email us at firstname.lastname@example.org