This week has sucked so far.
I’m not going into too much detail, but I have a site whose Office 365 accounts have been hacked through web access. This occurred because those user passwords were generated with an algorithm that uses a standard format of four characters and four numbers. The key is, apparently, that the four characters are always “pronounceable”, which means hackers just generate a list of, say, 250k possibilities, and then they slow attempt to log into your Office 365 account using known email addresses.
It’s been a mess of changing user passwords and making sure everything is working properly.