this post was submitted on 17 Feb 2024
137 points (96.6% liked)

techsupport

2469 readers
20 users here now

The Lemmy community will help you with your tech problems and questions about anything here. Do not be shy, we will try to help you.

If something works or if you find a solution to your problem let us know it will be greatly apreciated.

Rules: instance rules + stay on topic

Partnered communities:

You Should Know

Reddit

Software gore

Recommendations

founded 1 year ago
MODERATORS
 

Like the title says, I’ve got yesterday an email with a code to access my Microsoft account and that made me suspicious because I wasn’t trying to login to my account. When I looked at the login attempts I saw that someone else was trying to access my account, I changed my password, activated TFA. Thinking of going through and buying a physical key like yubico to further secure my account. Any tips are appreciated.

all 38 comments
sorted by: hot top controversial new old
[–] hinterlufer 49 points 9 months ago (1 children)

PSA: you can add mail aliases for outlook and set one of the new aliases as your only valid login address. That way no one knows your login email address in the first place.

[–] [email protected] 4 points 9 months ago

What a great tip. Thanks!

[–] [email protected] 19 points 9 months ago

What you need to realize is that for Microsoft, these attacks are constant. They deal with them basically 24/7/365. The target might change, but the attacks never stop.

Between Hotmail, Outlook, and exchange online (365) they're handling a large number of attacks per second all the time.

If they started to inform you about it, they would easily triple the emails they're handling due to all the failure messages.

This is nothing new to them, it's been going on since long before you noticed. Any MFA will effectively stop any attacker in their tracks. Make sure you have changed your password since you got that code sent to you, since that usually indicates a successful password breach.

Yubikeys are a good idea but you should always have a backup, so if you can afford it, buy two. One to carry, one to use. The downside is that each needs to be enrolled separately to each service that they're used for. It's not an issue to have multiple keys associated to the account, so that would be my recommendation.

I have a yubikey for work, and I use TOTP as a backup, and personally, I have a pair of Google Titan security keys. One to carry and one to stay at home.

[–] [email protected] 18 points 9 months ago (4 children)

Happened to me too yesterday. Gave me a big bump to my evening plans. Luckily I too have 2fa activated via 2 different systems {SMS AND second Mail address). They cracked my randomly generated password - which doesn't surprise me that much, brute force cracker are pretty effective nowadays.

What bums me is that I used this as an argument to teach a friend but he just used the same ol' reliable "naah, I'm too lazy". Can't change him, just told him to think about using 2fa everywhere money is involved. The rest is up to him.

What's also pretty bad from MS is that yes you can use several different mailadresses but no you can't prevent that all of them can be used as login. One is compromised but also used for mail traffic so I can't just delete it. But also can't prevent it from logging in to the account. Thanks MS..

[–] [email protected] 45 points 9 months ago (2 children)

They cracked my randomly generated password - which doesn't surprise me that much, brute force cracker are pretty effective nowadays.

I'm actually surprised that it'd be feasible to use a brute force approach to gain access to an online account. I would expect them to hit some kind of rate-limiting long before they'd find the correct password

[–] [email protected] 15 points 9 months ago* (last edited 9 months ago)

Brute force attacks are usually done offline, where the attacker somehow gets a copy of a database of hashed passwords and they can take as many attempts as they want locally before they get a hit and can try it online.

[–] [email protected] 3 points 9 months ago

Looking at my history, they're hours or a day apart. Probably no chance of getting into any halfway decent password that way, but if they can automate it with thousands of different email addresses, eventually they'd get an account with a weak password and get in.

[–] [email protected] 10 points 9 months ago

I appreciate when commenters end their first paragraph with bullshit so you don’t have to read any farther. I’d love to hear how you think they cracked your randomly generated password via brute force against Microsoft.

[–] [email protected] 8 points 9 months ago* (last edited 9 months ago) (2 children)

Hey so you actually can make it so an email address doesn't log into the account, it's how I stopped one particularly persistent hacking attempt when they finally managed to crack my password but were stopped by 2fa. Go to your profile > account info > sign in preferences, then as long as you have an alias email on the account you can deselect ones that you don't want to be able to be used as a log-in.

[–] [email protected] 3 points 9 months ago

With Microsoft I couldnt figure out how to enable 2fa against minecraft. Seems they do not have 2fa of any kind there and that is linked to your microsoft account. I guess the permissions there are just for minecraft, but if I was a betting man, I would venture there is a big hole there.

[–] [email protected] 0 points 9 months ago

Oh, really?! Okay gonna try that, thanks for the Tipp!

[–] [email protected] 4 points 9 months ago (1 children)

What kind of randomly generated password did you have that was crackable? I usually use 30 characters completely random string. If that’s crackable, maybe I need to rethink things.

[–] [email protected] 1 points 9 months ago

Stupidly just 12 random characters. I was too naive and hoped that'll be it.

[–] [email protected] 17 points 9 months ago* (last edited 9 months ago) (1 children)

This has been happening with my original MS email account for years. It's been in so many data breaches and pwns over the years that I basically have abandoned it. It's constantly being probed by malicious actors from outside the US. I still keep it for when family reaches out, otherwise I'd close the account.
There's no real way to block the attempts. Make sure your password is rock solid (randomize and store it in a password manager) and unique, put on 2FA, and ensure your recovery methods aren't easily phishable/leakable.

[–] [email protected] 5 points 9 months ago (1 children)

Same, since it's a ms account I have a ton of stuff linked to it and can't simply close it. You can change your login email, as far as I can tell you still get the emails that were sent to the old address, just moving forward what you sign in with is different. That slowed it down a little bit for me.

[–] [email protected] 3 points 9 months ago

That's good to know. I'll give it a shot setting up another alias but still keeping the address functional

[–] [email protected] 12 points 9 months ago

As long as you have 2Fa setup via a yubikey or phone app, and it via sms or email, you should be fine, they will give up eventually.

[–] [email protected] 10 points 9 months ago (1 children)

They cracked my password from a German VPN about a month ago. I Changed to passwordless within mins.

They seem to be really targeting Microsoft users, I am suprised Microsoft hasn't released a statement.

[–] daft61lunacy 2 points 9 months ago (1 children)

That’s what bugs me, they have been trying from January and no notice from MS.

[–] dai 2 points 9 months ago

Yeah my account has been hit since the end of December every 7 or so days.

The only things I've got in my account are some windows 7 / 10 licence keys and a migrated Minecraft account. Really not a concern to me if they can somehow get past 2FA.

The lack of response from MS is pretty shit, and to be expected from MS.

[–] wonderfulvoltaire 6 points 9 months ago (1 children)

Someone hacked my account using an SMS exploit from Russia last week

[–] daft61lunacy 2 points 9 months ago (1 children)

I removed my phone number just in case this might happen.

[–] [email protected] 5 points 9 months ago (1 children)
[–] daft61lunacy 11 points 9 months ago (2 children)

Yes, support said that they can’t stop it, and my account is safe.

[–] Sarie 10 points 9 months ago (1 children)

Same here, I have been in the same situation for years. Looks like if you email appears in a data breach every hacker in the world tries to get access to your email. Just never reuse your email password and set 2FA. That's more than enough to prevent unauthorized access and don't lose sleep over it.

[–] [email protected] 5 points 9 months ago

I got a notification from my original Xbox account from 2008 saying someone had managed to crack the password and needed the 2fa code.

I went to check on sign in activity and holy shit I knew that email account had been leaked long ago but I was not prepared for dozens to hundreds of sign-in attempts EVERY SINGLE DAY, from all over the world (at least I assume places that are popular VPN outlets)

That account doesn't have a single thing on it. No games, no cards, it was never even connected to the internet except the rare occasion when I was at a friend's house. And I don't re-use passwords except on throwaway accounts. So they would have been quite disappointed by it.

But just to be sure I changed the password again on all my big accounts or accounts with cards attached just in case.

[–] slazer2au 5 points 9 months ago (1 children)

You should enable passwordless auth with number matching.

[–] daft61lunacy 2 points 9 months ago (1 children)

I’ve ordered a few yubico keys and will look into it.

[–] [email protected] 4 points 9 months ago

You can also use MS Authenticator. It has the code match option too.

[–] [email protected] 4 points 9 months ago* (last edited 9 months ago) (1 children)

Lol. I noticed an attempt every five minutes the other day. Joys of an older account. Use MFA everyone, it's getting hairy out there!

[–] TrickDacy -1 points 9 months ago (1 children)

Usepunctuationeveryoneitshardtoreadwithoutit

[–] [email protected] 1 points 9 months ago
[–] [email protected] 2 points 9 months ago

What I find hilarious is that Microsoft wants you to connect your entire digital existence to your Microsoft account… software keys, Windows license, Windows account/login, the works.

One little pwn and all that goes bye-bye.

Thanks, but no thanks. I’m still 100% local. I refuse to hook my Microsoft account into anything other than OneDrive, and even with that, I’m clipping all of it’s wings so that it shares only exactly what I want it to, and not all of my user directories.

[–] HeyJoe 1 points 9 months ago

As others pointed out, use the app to authenticate. I'm pretty sure this was happening to me about a month ago for about a week. Kept getting the approve and number notification for new login, but I would deny it. Eventually it stopped.