Issue in Microsoft's "leaked credentials" feature triggers widespread lockouts

A recent rollout of Microsoft's new security feature, the Microsoft Entra ID's "leaked credentials" detection app known as MACE, has inadvertently caused widespread account lockouts across various organizations. Administrators reported that numerous user accounts were automatically locked after the system flagged their credentials as compromised, despite these credentials being unique and not used elsewhere.

The issue began on the evening of April 18, 2025, when Windows administrators noticed alerts from Entra indicating that certain user credentials had been found on the dark web or other locations. These alerts led to automatic lockouts of affected accounts, impacting a significant number of users within each organization.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Microsoft has since acknowledged the problem, attributing it to the invalidation of user refresh tokens that were mistakenly logged into their systems. They have issued an advisory to customers, clarifying that the alerts and subsequent lockouts were caused by this error.

Administrators are advised to review their Entra ID configurations and monitor for any further anomalies as Microsoft works to resolve the issue.

Source: Bleeping Computer

Analysis

It’s encouraging to see Microsoft continue improving its security offerings with features like Entra ID’s leaked credentials detection. Leaked credential detection services, like those included in Field Effect MDR Complete, can help prevent credential-based attacks before they escalate.

However, the rollout of this Microsoft feature was mishandled in a way that caused confusion and disruption across enterprises, with IT and security teams forced to investigate what appeared to be an active compromise—all during a holiday weekend.

Only afterward did Microsoft confirm the alerts were due to a backend issue involving refresh tokens, not actual credential leaks. Unfortunately, the damage was already done: defenders had spent hours chasing false flags, resetting accounts, and responding to user complaints.

This incident highlights a critical tension in modern cybersecurity: balancing proactive defense with operational stability. Automated features like leaked credential detection are only as effective as their implementation allows. Rolling them out without clear communication, documentation, or opt-in controls undermines trust and burdens the very teams they’re meant to help.

Hopefully, Microsoft learns its lesson and prioritizes transparency and administrator control in future feature rollouts.

Mitigation

Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for threats targeting cloud infrastructure and leaked credentials.

Field Effect MDR users are automatically notified if suspicious connections are made to their cloud accounts and are encouraged to review their AROs as quickly as possible via the Field Effect Portal. Additionally, Field Effect MDR Complete users are advised of leaked credentials and personal identifiable information (PII) on a monthly basis.

Users who received alerts from Microsoft or AROs from Field Effect related to leaked Entra ID credentials between 4/20/25 4AM UTC and 4/20/25 9AM UTC can simply ignore them. Alerts received outside of that time period should be investigated.

Related Articles

• Microsoft improves transparency, addresses critical vulnerabilities
• ‘Codefinger’ encrypts S3 buckets using AWS’s own encryption feature
• Russia-linked APT29 increasingly targeting cloud services
• Clop ransomware claims responsibility for Cleo compromises