Back to Blog

How were we Hacked? Part 1

How were we Hacked? Part 1

When we read about hackers, we either think of people in Anonymous wearing Guy Fawkes masks or else that film from the mid-’90s were roller blade rolling teens bring down the baddies with elaborate rabbits and trojan horses.  While complicated CIA type hacking may exist the VAST majority of hacking is simply someone getting your password and logging in online just like you would

The VAST majority of hacking is simply someone getting your password and logging in online just you would

How hackers get your credentials?

So how are hackers getting our passwords?  Understanding this will lead us to be more careful in how we create, manage, use, and re-use our credentials.

1)  It was so bad it got guessed - Password spraying

Many people simply cannot fathom that they will ever be the one to get their account hacked.  “Sure, it will never happen to me.  Why would a hacker be interested in me?  I’ll just use “Password1” cause I could not be bothered coming up with a better one and remembering it”.   Many of us would gasp at this contrived example, but it does happen.  A lot.  One way or another, there is a reason why “Password1” is on the list of most used passwords because there is no end of people like this.  I’ve seen it used and hacked in corporate environments.  

The reason this happens is not that the password is weak in and of itself, but rather that people think they are unimportant, off the beaten track, it will happen to someone else.  This is where they are wrong.  Using a technique called password spraying, hackers use automated programs to try random accounts against the most common passwords rapidly. It is happening 24x7, 365 days a year.  So it is only a matter of time before you are hit.  

2)  A strong password, but used everywhere - Credential Stuffing

So you now have a strong password.  Its m2knaKaKatlB*”, derived from the first letters of each word in the sentence “my two kids names are Karl and Kate and They like Big * (stars)“.  This is an excellent approach.  It’s memorable to you, contains secret knowledge, and includes capitals and symbols.  However, you liked it so much you used it for a few sites, including  and The problem now is that the well-meaning but much less security-conscious people at the gnomes sites, and yahoo may get hacked and lose all passwords. Now all sites using the same password are also wide open.  These hacks frequently happen and from big names too (including yahoo).  When usernames and passwords get breached en mass, they get re-distributed amongst the baddies who then try them for other sites/domains in a technique called credential stuffing

So by using the same password at Office365 and, you implicitly make the typically reasonably secure Office 365 as weak as the dodgy gnome site.  And the more you do it, the higher the risk.  So STOP.  Make up a new password for EACH site and use a free password manager like LastPass, 1Password, Dashlane or similar, to remember them all for you.  

Thankfully, for existing passwords, it is possible to safely check your usernames and passwords against these credential stuffing lists. is reputable and safe to use for this purpose.  Make sure you check the URL and send it directly to your employees to ensure this, and only this, is used.  

3) Clicked a link and entered credentials - Phishing

You get a legit-looking email purporting to be from a reputable vendor or site asking you to come in and do something.  It looks important.  You click, it takes you to (note the extra ‘s’), requests for credentials which you duly enter.  

Phishing (and its variants: spear phishing, smishing, whaling, vishing) is some of the hardest attacks types to combat because it is a social engineering trick.  Again a human weakness completes the exploit.  No matter how we inform and educate employees, they just keep clicking those links eventually.

The best defence is a combination of regular education, anti-phishing policies and anti-spoofing in your Office 365 tenant, using Multi-Factor Authentication, and checking/managing the location of user activities.

4) Wrote password on a yellow sticky note

Then you stuck it to your monitor.  You can trust all the people who pass your desk, right?  All of them?  Forever?  What happens if you work in an open office, or the cleaner moonlights as a hacker or Bob the disgruntled ex-employee decides to “show them” how wrong they were to fire him.   The list goes on.  Again the best solution is simply DONT do this.  Use a password manager, MFA

5) Brute Force

Unless you are using a 30 digit randomised password, then there is always a chance this can happen.  Especially if you are someone of importance in your company or outside of it.  The risk, however, is low.  With a strong password, it’s far more likely that a phishing attack or re-using it elsewhere will lead you to ruin.  

6) Keyloggers

Key loggers are another risk on the lower end of possibilities.  Keyloggers are used in targetted attacks where the attacker either knows you personally or targets you specifically.  The odds increase if you are a high-value employee (CEO, CFO, accountant, etc.) or if you work in a large or high-value organisation.  Keyloggers can use hardware or software (malware) to gather information.  Naturally, software versions are higher risk since they require only malware installation to get what they need.  

Preventing against software keyloggers requires everything from good general hygiene, malware detection and prevention etc.  Update Malware filter policies

General of Preventions and Solutions

Unfortunately, given the myriad of ways that credentials are at risk, the best approach is on many fronts.

  1. Use a password manager to generate a strong and unique password for every site/domain.
  2. Monitor remote access events in the audit logs.
  3. Role out MFA to high value, high risk and administrators
  4. Update Malware filter policies
  5. Anti-Phishing Policies
  6. Anti Spoofing Intelligence
  7. Ask your employees to check their credentials against  Act accordingly
Octiga - An easy All Angles solution?

Octiga to the rescue!  

Octiga offers Office 365 automated solutions to help you configure many of the above items easily. Octiga's detect feature monitors for changes and dodgy logins. If you suspect a breach, then the recover feature will help you with rapid detection and remediation. Schedule an appointment to experience an easy, guided and automated security journey today.

More from the Blog

A Closer Look at the Midnight Blizzard Crew

Microsoft's security team has recently made a significant discovery regarding an increase in cyber-attacks orchestrated by the Russian state-backed group known as the Midnight Blizzard crew. This group, which also operates under the aliases Nobelium, APT29, Cozy Bear, Iron Hemlock, and The Dukes, has been actively targeting personal credentials, according to Microsoft's findings.

Read Story

Navigating M365 Secure Score Limitations for MSPs

Discover the limitations of the M365 Secure Score for MSPs. Understand the scope and potential restrictions when using this tool to assess and enhance the security posture of Microsoft 365 environments. Know how to navigate through these shortcomings.

Read Story

Octiga Vs Flying Solo with Office 365 Security for MSPs

The purpose of the Octiga Office 365 security app is not to replace M365 security but to ensure that MSPs can deliver it consistently, coherently and rapidly to all your clients. A short video explains how Octiga makes MSPs' work super efficient and super fast.

Read Story

Never miss a minute.

Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa.
We will never share your email address with third parties.