For years, I’ve been talking about drive-by-lootings, where security screwups on part of CompanyA cause damage to innocent Company B.

In this case, Microsoft (legally!) used the leaked password lists from LinkedIn, eHarmony, Yahoo and other breaches and compared them to their existing users.

Surprise, surprise – approx 20% (1/5th) of Microsoft users reuse their usernames & passwords from other sites.

Lesson#1:

While I believe in recycling and being green, REUSING CREDENTIALS ACROSS SITES IS A BAD IDEA!

Lesson#2:

Learn from Microsoft and hack YOUR user’s passwords PROACTIVELY!

(note:  This practice SHOULD be in your company’s security policies and you really, really must get written permission from users or your employer…otherwise, you may become an involuntary guest of the US Penal System).

From ZDnet.com:

About 20 percent of Microsoft Account logins are found on lists of compromised credentials in the wake of hack attacks on other service providers, the company has said.

People re-use passwords and login details across services from different providers, Microsoft Account group manager Eric Doerr noted in a blog post on Sunday. That reuse means that if one set of logins is compromised, other accounts are at risk.

“These attacks shine a spotlight on the core issue — people reuse passwords between different websites,” said Doer, speaking after the Yahoo breach last week that exposed 400,000 user details. “On average, we see successful password matches of around 20 percent of matching usernames.”

Doer revealed the figure in a run-down of some Microsoft Account security practices, meant to reassure customers after the Yahoo hack. Microsoft Account is a single sign-on tool for Microsoft services such as SkyDrive, Hotmail, Xbox and Messenger.

via One in five Microsoft logins are in hands of hackers | ZDNet.