Scary stuff

RavenLunatic · 15 May 2024 at 07:28

I happened to log into my Microsoft account to find that there where 3 unrecognised machines tied to my account running Windows 10. The hardware configuration was low end Pentium from 1996 so I presume they were from virtual machines. Why would someone link a random windows licence to my Microsoft account?

It gets worse, I clicked on the sign in activity, and it showed hundreds of failed log-in attempts from all over the world every day. Fortunately, I have a strong password and 2FA but still this is worrying to say the least.

I am aware that my e-mail address has been pwned a few times from various hacks over the years but I never use the same password twice.

Have you checked your Microsoft account lately?

The_Arbiter · 15 May 2024 at 08:03

I looked earlier this month as had some funky behaviour with various accounts signing me out on different devices. All 2fa, strong password, no pwnage/ breach on any account.

I noticed these attempts, there were 2/3 IIRC, China IP etc. My uneducated guess is that this is normal behaviour, and the reason strong passwords exist, etc.

IIRC I've read in some threads about router logs showing hundreds on attempted access into network being normal. Though hopefully someone with knowledge will elaborate.

mrk · 15 May 2024 at 09:09

The only way they'd be able to circumvent your 2FA is if they somehow gained access to your backup codes or backup methods of recovery/access - The latter would send you a notifcation in the Microsoft Auth app anyway though as a prompt pops up in the app for any login attempt from a non-authorised machine gaining access.

Alternatively one of your authorised machines has been compromised and as such because it's previously authorised, has had full access to your account and was able to be spoofed remotely I guess.

Otherwise 2FA is not possible on its own to bypass.

Like the movie Scream, the call is coming from inside the house.

I just logged into mine just for kicks, only my one PC as an authorised device,

I then checking the login activity and see this:

All but the top one are failed attempts, the top one is me just now. The Automatic Sync one is a failed attempt too whereby a bot is clearly trying am email based access but failing to sync. My 2FA method is via the official MS app, so unless they also have my phone and my biometrics, then there's no way anyone is getting in, even if they figure out my password.

RavenLunatic · 15 May 2024 at 15:10

I am sort of glad it’s not just me being targeted. I do not know how I have been compromised. Wouldn’t they do the whole ransomware thing at the first opportunity?

I did buy some windows 10 pro keys back in 2020. Could it be they have sold the same keys again?

It would explain why they linked to my MS account as I used all of them at one time or more on different machines.

I cannot see any successful attempts at logging in with my password or synchronization. Going to run Malwarebytes on my windows machines and see if it picks anything up.

mrk · 15 May 2024 at 15:12

If none of the attempts were successful then you haven't been specifically targeted and this is simply a case of bot machines checking various emails against big account services like MS to see if they can easy access the accounts.

That's the long and short of it so nothing to do, nothing to be concerned about.

nade · 15 May 2024 at 15:51

good prompt - hadn't changed my old Microsoft password for a while. Can see the same behaviour on my account, just a single random attempt and failing due to password.

I only have the one Microsoft key registered, still rocking the Win7 retail key I got back in 2009.

Emlyn_Dewar · 16 May 2024 at 01:23

2FA is the way. Saving us all from account loss since (I don't know when).

Murphy · 16 May 2024 at 07:18

If the email you used for your MS account has been leaked have you thought about creating an alias and disabling the login privileges for the email you used to create the MS account with.

Vandle · 16 May 2024 at 10:53

How do you access you activity log? Ta.

RavenLunatic · 16 May 2024 at 11:03

Sign in to your Microsoft account

account.microsoft.com

then select View my sign-in activity

RavenLunatic · 16 May 2024 at 11:18

Murphy said:
If the email you used for your MS account has been leaked have you thought about creating an alias and disabling the login privileges for the email you used to create the MS account with.

Thanks, I didn’t know you could do that.

I have gone the route of passwordless logon. It appears that option is the most secure as it does not give an attacker the option to guess my password.

On second thoughts that might be a mistake :s I hope my phone authenticator will not beep every time someone tries to log in.

Vandle · 16 May 2024 at 11:41

Mad that. I have 2fa set up already via google authentication app. 11 unsuccessful sign in attempts from6 different countries.

Disco_P · 16 May 2024 at 11:58

In the last 24 hours there have been 38 attempts to log into my account from all around the world.

Been pwn'd umpteen times so not really suprised, nor is it something to worry about with MFA.

ghummy · 16 May 2024 at 13:44

33 attempts yesterday from around the world

14 today so far.

im relaxed with 2FA and authenticator

Bubo · 17 May 2024 at 13:13

Me too.

Can I transfer my Microsoft account wholesale from its current linked email account to a completely separate email account, so I can basically abandon the current email, since I don't use that email address for anything important, and email also gets absolutely inundated with spam and phishing attempts, so I certainly don't mind if I just pretended it didn't exist if it meant these login attempts would stop. I'm guessing at least until they manage to guess the other email account name. Or is this just not at all relevant?

RavenLunatic · 17 May 2024 at 14:12

Changing to passwordless hasn’t stopped the login attempts. There are fewer of them, but fortunately I haven’t been inundated with authorisation requests in fact none. The devices section does not show the foreign PC’s after I deleted them on Wednesday, but I will be keeping an eye on it in case it happens again.

Orcvader · 17 May 2024 at 14:46

RavenLunatic said:
Changing to passwordless hasn’t stopped the login attempts. There are fewer of them, but fortunately I haven’t been inundated with authorisation requests in fact none. The devices section does not show the foreign PC’s after I deleted them on Wednesday, but I will be keeping an eye on it in case it happens again.

Oddly enough, I actually had a couple of prompts sometime last year asking me to authorise the attempt

. Haven't seen it happen again ever since though.

Murphy · 17 May 2024 at 15:44

Bubo said:
Me too.

Can I transfer my Microsoft account wholesale from its current linked email account to a completely separate email account, so I can basically abandon the current email, since I don't use that email address for anything important, and email also gets absolutely inundated with spam and phishing attempts, so I certainly don't mind if I just pretended it didn't exist if it meant these login attempts would stop. I'm guessing at least until they manage to guess the other email account name. Or is this just not at all relevant?

I'd never use a MS account myself but from what i understand you just add an alias, disable logon for the primary email (don't delete it), and use the new alias to logon.

Basically this...

https://old.reddit.com/r/microsoft/comments/1aicvwk/how_to_stop_unsuccessful_login_attempts_to_your/

Rab · 17 May 2024 at 16:25

just had a look, so many on my account from the last 30 days

arknor · 17 May 2024 at 16:47

Someone hacked my email back in the blueyonder days, then they used my email address to send spam to other people lol...

Most bizarre thing I ever saw. literally spamming random people with penis enlargment type adverts