Hacked White Guy and the 7 Microsoft Employees

While getting ready to leave my house one Saturday night, I received the following somewhat alarming text message:

Someone else might have accessed Microsoft account [my email address]. Recover at https://account.live.com

“Well shit,” I think to myself, “that’s not good.”

I log on to my Microsoft account, and am asked to verify my login via a text message.

Before I go any further, full disclosure: I enabled two-factor authentication (TFA) on the account back in the days before Microsoft had their own TFA application (I was using Google Authenticator). A few months back I got a new iPhone, and as you may know, Google Authenticator data doesn’t come across in a new backup — so I lost it. It didn’t matter though, as I still had my phone connected to the account, so until I could be bothered to reset the authenticator app I would still be able to log in via SMS code. But just to be clear, the ONLY legitimate way to access the account was via SMS — the Google Authenticator option was lost. The old phone was wiped, and still in my possession.

I log in to my account, remove the old Google Authenticator connection to my account, set up the new Microsoft Authenticator app on my phone, and change my password.

I then decide to check the “Recent Activity” page, which shows all of the login attempts made to your account.

Most look normal, except for this:

Three things about this worry me. Not individually, but together.

  1. It says “Successful sign-in”.
  2. I use a password manager, so the password for that account was a long unique string of nonsense.
  3. I have two-factor authentication enabled on this account.

How was a login able to be “successful” if I have two-factor auth, and I didn’t receive a text message with a security code?

I try to engage the Microsoft Support account on Twitter for help.

With the benefit of hindsight, their first response is a worrying omen for how my entire engagement with Microsoft over the course of this issue is about to go down.

So I click the link to contact their “Answer Desk”, and have what turns out to be the most pleasant part of this ordeal. Unfortunately I didn’t keep a record of the conversation, but the person on the other end of the live chat basically asked me if it was possible I’d actually signed-in from Singapore (I hadn’t), if I was using a proxy at the time of the sign-in (I wasn’t), and if I’d even used the Microsoft account the day of the suspicious activity (I didn’t).

The account is only used for my Xbox, my gaming PC, and my Skype account. There’s no reason for a sign-in to occur from Singapore, ever.

Unable to help me any further, the live-chat rep gave me a link to contact “the Microsoft Security team”, which redirected me to a standard web form which I filled out:

Hi there, I recently received a notification that suspicious activity had been detected on my account. When I logged in to my account, there was a “Successful sign-in” from an IP based in Singapore. However, my account was protected with two-factor authentication — so I’m obviously quite concerned with how a “successful sign-in” was able to occur. The suspicious activity occurred on 2/3/2017, 11:16 PM. Obviously if a sign-in was successful, and protected with TFA it is quite concerning to me how a successful sign in was able to occur.

Less than 12 hours later I got the following reply. From now on, any emphasis in these emails is mine (so you don’t have to read them all):

Good day!
Welcome. This is Rodolfo, your Microsoft account Support specialist for today.
I understand your concern about the account accessed from different country, but no worries, I am here to help you out.
To be able to avoid some instances such as what happened into your account, we best suggest that you need to update your account password and secure your account more to protect and prevent such case in the future.
In order for you to change password, please go to this link: https://account.live.com/pw or you may change your password under the security information in your account if you can be able to log-in successfully.
You may follow these tips to help keep your Microsoft account safer and make it easier to recover.
1. Create a strong password that you can remember
2. Never reply to email asking for your password for security
3. Make your account easier to recover by adding additional Security info & security codes
4. Check and review your recent activity
For you to be able to update the security information, please go to this link: https://account.live.com/proofs/Manage?mkt=en-US
Also, the links below are additional resources you can read for other Sign In issues and how to prevent the incident above from happening again:
To help protect your Microsoft account
To know more about security info & security codes
If you are still having issues accessing your account, please let us know.
Thank you.
Microsoft account Support Team

TL;DR: I couldn’t be bothered to do anything other than skim your request and you mentioned something about access from another country so I’ll suggest you change your password.

So I try again:

I don’t believe that you read my original ticket correctly. The issue is not about protecting my account in the future, I want to know what happened to cause my account to be logged in from another country while I had two-factor authentication enabled.
How was there a “successful sign-in” with “suspicious activity” from another country, on a day when I was not using my Microsoft account, when I had two-factor authentication enabled?
To be clear, the issue is not that I am having trouble accessing my account.
Obviously this issue is very concerning so I would appreciate a prompt reply.

The next day I get the following reply:

Thanks for coming back to Microsoft account Support Team.
Looking at it, you have account security issue due to a message that there’s success sign in with suspicious activity in another country, given that two-step verification is enable in your account. It must be troubling and alarming that your account got compromised. I know how important for you to get this issue rectified, so let me assist you.
I have investigated your account and found that your two-step verification feature is enable. So what’s with this feature? Two-step verification is an additional security feature that can be manually enabled by account owners. It bypasses the use of personalized password by requiring a use of single use code each time you access the account. Provided that this is a more of a high security feature; it also disables account recovery function since it would defeat its purpose. Once the TSV feature has been enabled, it restricts any attempt to recover other than using the two security information registered on the account.
Moreover, have you heard about Familiar Location? It is when you’re signing in from someplace where you don’t usually sign in or using new apps or device, you might be asked to confirm the email or phone number on your account. The system will tag these scenarios as unusual sign-in activities and it’s a security measure to protect you from hackers. We just want to make sure that the real owner of the account is accessing the account. I’m afraid that this is by system-design and cannot be bypassed.
You may want to check the link below to learn more about Familiar Location:
If you think that someone else is accessing your account in different location, we suggest that you take the extra step to secure your account by taking the following actions, like creating a strong password and updating your security information to keep your account safe and make it easier to recover if it’s ever compromised. Configuring your security information can make it easier to recover your account if someone else takes control of it. It’s a good idea to add as much password information as you can because this information is used for your safety.
We have also added the recent activity on your Microsoft account summary page wherein you can track your account’s sign-in activity.
For each activity, the recent activity page lists the date and time, location, and type of activity. Keep in mind that if you use a mobile device, your location may not be reliable. This is because mobile phone services route your activity through different locations. This can make it look like you signed in from somewhere you’re not.
There you go. If you have other concerns about your Microsoft account aside from the topic above, please let us know.
Thank you,

TL;DR: I notice you have two-factor authentication on your account. Let me tell you what two-factor authentication is, in case you forgot.

Deep breath. Let’s try again:

I know what two-step verification is, that’s why I enabled it. I also have a strong, unique password that is not used for anything else. I still don’t think you’re addressing my concerns, so I’m going to propose a real simple question:
How was there a successful sign-in that wasn’t by me when I have two-step verification enabled on my account?
Thanks for letting me know the answer to this.

Two hours later:

I’m Michael and I apologize for the delayed response. I appreciate the time you’ve spent in bringing this information to us that there is a successful sign in to the account even if the highest security is active on the account. To investigate the issue, are you using any application or program such as email client that your account is added to? If you do, there is a possibility that the server of application or program your using is located on that country.
If you have additional questions or clarifications, please get back to us anytime.
Have a good one.

TL;DR: An actual decent question: are you signed in using some application that might be located in the suspect country?

No, but I’m beginning to wish I was.

The account is not logged in to anything other than an Xbox One, a Skype account, and a gaming PC’s Windows account. None of these are routed through any VPNs or proxies (i.e. all traffic comes from 1 of 2 static IPs based in Australia, my home and my work).
Obviously I didn’t receive a two-step notification on my phone or email regarding the suspicious login, which is why it is so worrying. I didn’t know about the suspicious login until a day later (when I was notified of the activity via text message).
Why would I not have received a 2-step auth request to my phone or email when the attacker attempted to log in?

Half a day later:

Hello Nick,
Thank you for getting back to us and we apologize for the delayed response due to high volume of queries that we are experiencing at this moment. To better determined the root cause of your issue, kindly provide us a screenshot of your recent activity page where you see a suspicious activity occurred on your account.
To upload and share screenshots using your Microsoft OneDrive, you may refer to the steps I have provided below. 
1. Log into https://onedrive.live.com here using your Microsoft account. 
2. Click the “Upload” button at the top of the page and browse the file from your computer or device. 
3. Once uploaded, select the file by clicking the small rectangle at the upper right on it, and then click on the “Share” button located on the top of the page. 
4. Click on “Get a link” and choose “View only” from the dropdown under “Choose an option” 
5. Click on “Create a link” to generate a link, and then provide us the link of the file.
We will be waiting for your response. We will appreciate any information that you can provide us.

I provide the screenshot (the first one you see at the top of this article, except not redacted).

Link is as follows:
At this point in time my account was secured by two-step verification. I added the Microsoft Authenticator app once I noticed it, but still had two-step auth setup on my account via my phone number.
I’d appreciate an answer as to how this happened as soon as possible.

A week passes.

No reply.

I have now not heard anything regarding this ticket for over a week. Please indicate what the issue is and get back to me as soon as possible.


Thank you for getting back to us again and we apologize for the delayed response due to high volume of queries that we are experiencing at this moment.
Thank you for the screenshot you provided. Given this, kindly verify to us if you are using the same password of your Microsoft account to Xbox One, Skype account, and gaming PC’s Windows account?
We will be waiting for your response. Please bear with us.


No. The password is a unique password and not used by anything else.

The next day:

Thank you for contacting us again. This is Tonirose and I will continue assisting you today!
We received your request stating that, you found successful login from other location which is not you. Even after changing your password and enabled the TSV on your account. We know how alarming it is that even having highest security still hacker can access your account. Leave your worries aside, I will personally take care of this for you.
We advise that you also check the security information linked to your account to be familiarize if the linked account is still yours. Kindly click the link below: If not I suggest that you remove the unknown security information.
If you are familiar with the security information. By that we advise that you change your sign in preferences this steps will allow you to change the email address that you are going to use with you are going to log in your account, we will be providing steps on how to follow the steps below:
1. Log in to https://account.live.com/proofs/Manage?mkt=en-us
(If you get a security prompt asking for a security code, please choose one the security options available where you would like to get the code)
2. Click “Change Sign in Preferences” under Sign in Preferences.
3. Choose which email addresses and/or phone numbers are allowed to sign-in to your account. To improve security, only allow sign-in from email mailboxes and/or phone numbers you monitor.
If the hacker still insisting to get your account and you saw that on your recent activity page, kindly send us a Screenshot for another hacker attempt.
To attach a screenshot, please refer to the steps that I will provide.
1. Click the link from this e-mail to view the thread.
2. Click the “Browse” button.
3. Select the file from your computer. Wait for the loading process to finish. (It may take long to upload the file)
4. Click “Submit”
If you have any questions, clarifications or other inquiries, please don’t hesitate to contact us again. We’ll be glad to assist you further. We will wait for your response.
Kindest Regards,

Tonirose then closed the ticket.

I’m done. I’m fucking done. I will never know how a successful sign-in occurred, nor will I feel confident in the security of my Microsoft account.

Thankfully I don’t use my Microsoft account for anything other than gaming. So congratulations my Singaporean friend, you probably got me, and if you did, please feel free to blackmail me over all of the Xbox games I started and then didn’t finish. Perhaps it’ll motivate me to finally pick them up again. I heard the new Tomb Raider is actually quite good.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.