Forums Security

Calling all gamers

So, at a little after midnight I received an email telling me my Microsoft account had been compromised. Now it’s wasn’t for an active account, and it was only ever used for an X-Box subscription, so I mentally marked it as spam. However, ...

So, at a little after midnight I received an email telling me my Microsoft account had been compromised. Now it’s wasn’t for an active account, and it was only ever used for an X-Box subscription, so I mentally marked it as spam.

However, after a double-take and a re-examination the email seemed to link to M$ addresses rather than random spam locations. After logging into the account directly (not via the link in the email) it turns out that the email was indeed valid, it appears that somebody had logged into my Microsoft account, with the correct password … from Germany (!) Fortunately I have 2FA set up on the account so they didn’t get any further than triggering a security alert email.

Looking at the privacy logs on the account, it looks like somebody was trying a brute force password attack, and somehow managed to succeed. From memory (!) the password on that account should have been generated on a Linux machine with “pwgen” - so an apparently successful guess is a little worrying.

Anyway, these sorts of attacks don’t seem to happen in isolation, so if you have a M$ account and see an odd security alert email, might be worth a closer look.
(and 2FA also seems to be useful :slight_smile: )

As an aside, I’ve noticed recently that streaming services tend to not provide or promote 2FA. Whereas I can understand that setting up devices to use streaming services may become more complex with 2FA, given some streamers provide additional / chargeable services (pay per view etc) having a credit card on an account without hardened security, well, maybe I’m a little paranoid but …

Anyway, I tried to cancel an old streaming account over the last few days (very large provider / household name) only to find that not only does there not seem to be any way to remove credit card details from the account (without entering new ones) , there doesn’t seem to be any way to delete the actual account without contacting their support department :scream:

Anyone else come across this?

1 post - 1 participant

Read full topic