CyberSecurity news
FlagThis
Lawrence Abrams@BleepingComputer
//
A recent Microsoft Entra ID security update caused widespread account lockouts across numerous organizations, highlighting the potential risks associated with new security feature deployments. The issue stemmed from the rollout of a new "leaked credentials" detection app called MACE (Microsoft Account Credential Evaluation). This new feature inadvertently flagged legitimate user accounts, triggering automatic lockouts despite strong, unique passwords and multi-factor authentication (MFA) being in place.
Microsoft confirmed that the Entra account lockouts over the weekend were due to the invalidation of short-lived user refresh tokens mistakenly logged into internal systems. The problem was traced back to an internal logging mishap involving these tokens, where a subset of them were being logged internally, which deviates from the standard practice of logging only metadata. This logging error was identified on April 18, 2025, and promptly corrected.
The incident caused significant disruption as Windows administrators from numerous organizations reported receiving alerts that user credentials had been found leaked on the dark web. However, users noticed discrepancies, such as passwordless accounts being affected and no matches on Have I Been Pwned (HIBP), raising suspicions of false positives. Microsoft has advised affected customers to use the “Confirm User Safe” feature in response to the erroneous alerts and is working to prevent future occurrences.
ImgSrc: www.bleepstatic
References :
Microsoft confirmed that the Entra account lockouts over the weekend were due to the invalidation of short-lived user refresh tokens mistakenly logged into internal systems. The problem was traced back to an internal logging mishap involving these tokens, where a subset of them were being logged internally, which deviates from the standard practice of logging only metadata. This logging error was identified on April 18, 2025, and promptly corrected.
The incident caused significant disruption as Windows administrators from numerous organizations reported receiving alerts that user credentials had been found leaked on the dark web. However, users noticed discrepancies, such as passwordless accounts being affected and no matches on Have I Been Pwned (HIBP), raising suspicions of false positives. Microsoft has advised affected customers to use the “Confirm User Safe” feature in response to the erroneous alerts and is working to prevent future occurrences.
ImgSrc: www.bleepstatic
Share:
References :
- BleepingComputer: Microsoft confirms that the weekend Entra account lockouts were caused by the invalidation of short-lived user refresh tokens that were mistakenly logged into internal systems.
- The DefendOps Diaries: Microsoft Entra ID Glitch: Lessons from a Security Feature Misstep
- www.bleepingcomputer.com: Widespread Microsoft Entra lockouts tied to new security feature rollout
- bsky.app: Microsoft confirms that the weekend Entra account lockouts were caused by the invalidation of short-lived user refresh tokens that were mistakenly logged into internal systems.
- BleepingComputer: Microsoft confirms that the weekend Entra account lockouts were caused by the invalidation of short-lived user refresh tokens that were mistakenly logged into internal systems.
- www.techradar.com: Microsoft appears to have flagged some users’ credentials as being compromised erroneously, locking them out.
- Blog: Microsoft leaked credentials false positives trigger widespread lockouts
- www.bleepingcomputer.com: Microsoft confirms that the weekend Entra account lockouts were caused by the invalidation of short-lived user refresh tokens that were mistakenly logged into internal systems.
- cybersecuritynews.com: Microsoft Addresses Entra ID Token Logging Issue, Alerts to Protect Users
- hackread.com: Was your Microsoft Entra ID account locked? Find out about the recent widespread lockouts caused by the new…
- www.bleepingcomputer.com: Windows administrators from numerous organizations report widespread account lockouts triggered by false positives in the rollout of a new Microsoft Entra ID's "leaked credentials" detection app called MACE.
Classification:
- HashTags: #Microsoft #EntraID #Security
- Company: Microsoft
- Target: Microsoft Entra users
- Product: Entra ID
- Feature: Account Lockouts
- Type: Bug
- Severity: Medium