3

I have two email accounts. My main one that I created a few years ago and switched to, which has a very strong/unique password that is not written down or stored anywhere. It also has 2-factor auth enabled. I have an older email account that I haven't used in years, but kept around since my Paypal account is linked to it. I forward all the emails from my old account to my new one.

A few days ago I received an email from Microsoft saying that there was a new access to my old email account. I reviewed the activity and after confirming that it was indeed not me, I immediately recovered the account, changed the password and added 2-factor auth for this one as well. The email from Microsoft said that the account was locked down, and that access to my inbox, contacts and calendar was blocked until I verified it.

This is an old account that I haven't used in years, there aren't any important accounts associated with it other than my Paypal account. I logged into Paypal, reviewed my details, history, nothing has changed, no payments have been made.

I changed my Paypal password, but since it was still the same one I presume that the attacker didn't try to recover it - the message from Microsoft said that my inbox was blocked as soon as he tried to login, if this is true then he wouldn't have been able to receive the password reset email at all.

What's my next step? I want to believe the Microsoft email and think that my inbox was locked and thus the attacker wasn't able to get anything out of my account, but a part of me doesn't want to take any chances.

I recently started using a password manager and changed a few dozens password on all the website I frequently use, and I use different passwords for my bank website, Paypal and my main email address - none of which are in the password manager.

Does anyone else have experience with a breached Microsoft account? Could the attacker do more damage than I think? Are there some things I need to watch for?

Any advice would be really appreciated.

Charles
  • 31
  • 1

2 Answers2

1

General rule of thumb when this happens (and it's a pain): You have to go through the old account, figure out what other online services are linked to it, and then update your login info on all of them.

Linked online services being defined as:

Services registered to the compromised account Services for which you have recorded login or recovery info on that account.

If you used the old account as a recovery address for your new account, delist the old account immediately and constantly monitor your new account for reset requests.

Additionally, any personal or otherwise sensitive data you had stored in the account should be considered compromised. If you stored your personal identifying info on that account, you might consider registering for an identity protection service. If you have credit/banking card numbers and/or PINs contained anywhere on the account, cancel all affected cards and ask for new PINs where applicable.

A good way to do recovery email addresses is to have a single account on a trusted/reputable online email service with extremely strong login info (and preferably one that doesn't deactivate your account due to lack of use). Store the login info encrypted on 2 personal computers that never leave your house and preferably no one else has access to. Use this account solely for recovery; NEVER use it to register for online services as this will expose the email address. Harder to get hacked if no one else knows about the hidden recovery address.

Why this works: First, make some generous and slightly unrealistic assumptions - the user never gets keyloggers or similar malware and the email service never gets compromised. The recovery email is never typed in on any other website so hackers have no way of knowing it exists. The only way they can gain access: grabbing the computer with the login info and decrypting it. This means they would need to find the geographic location of your house, climb in through a window or unlock a door, figure out which computers have the encrypted info, and then hack the encryption. That's an extremely tall order for anything short of a government-sponsored hack or an "inside job" (where a roommate or family member somehow records the decryption key and takes the recovery account).

user1258361
  • 420
  • 2
  • 12
-1

Could the attacker do more damage than I think?

Not if you perform the following:

  • Remove all account recovery information except cell phone.
  • Keep your cell phone encrypted and use password or pin.
  • Check and remove access granted to other apps and websites.
  • Logout from all other sessions.
  • Remove all trusted device from your account.
  • Don't use password manager. (Personally, I don't trust password manager. If it got hacked all of website gets hacked)

Are there some things I need to watch for?

  • Keep login notifications ON.
SiD
  • 107
  • 1