sanity check email from Microsoft Account team

Ant555

Hi all, Im just trying to work out the significance, if any, of some emails I have started to receive regularly.

My main account is a Microsoft hotmail address - the recovery address is my gmail address.(different prefix/names before the @)
I keep getting messages like the one below to my gmail address - its not phishing as its not asking me to do anything.
The last line says dont worry if I didnt request it however I think that Microsoft asks you to type/confirm the recovery email address so do you think someone knows the combination of the gmail recovery address for my hotmail address  (Its not that they are the same prefix - the names are different)


from account-security-noreply@accountprotection.microsoft.com
Hi <my gmail address>@gmail.com,
We received your request for a single-use code to use with your Microsoft account.
Your single-use code is: <7 digit number here>
If you didn't request this code, you can safely ignore this email. Someone else might have typed your email address by mistake.

flaneurs_lobster

Don't think that Microsoft asks for the whole recovery email address when you (or in this case, someone else)  is trying to recover from a lost/forgotten password, it asks if you want a code sent to "ab********@gmail.com" (or use a phone number or authenticator app or whatever you've set up). Unless you use the recovery gmail account for this and no other purpose I can't see why this message should cause too much concern. 

I'd be more concerned that someone is trying to access my primary account in the first place. Occasional attempts being flagged up are not unusual (random bot password reset attempts) but you seem to have all the 2FA stuff in place to see them off. If you haven't done so in a while then might be worth resetting your passwords on both accounts. 

Ant555

Thanks for the reply -

flaneurs_lobster said:

I'd be more concerned that someone is trying to access my primary account in the first place.

Ive had this particular hotmail address for around 20 years so I wouldnt be surprised if it appears on various lists on the internet.

I have just spotted the option to view account activity and its showing unsuccessful logins and also unsuccessful sync attempts from Russia, China and the US.  I just tried logging in from a new browser and it does indeed auto-send a code to my gmail without me prompting  so I think thats relatively safe (I thought it asked you to type it)

I will update my passwords for both emails though.

All the best

GDB2222

Is it slightly worrying that some bot only needs to know an email address, request a reset code, type in a random 7 digit code, and around 1 in 10 million times, it's cracked the account?

If a single machine can run say 1000 parallel processes, each taking say 3 seconds, it can crack 3 accounts per day. That's enough to keep some hacker, sitting in his pyjamas in Siberia, busy analysing the accounts for banking information. If he wants to be busier, he just buys a second PC.

Ant555

@GDB2222 - I agree,
I must have switched on the option to sign in using a code (sent to an authenticated email address) rather than using my password.  Ive now switched it back to password.

Ideally I want both so im looking at the 2fa options.  

GDB2222

I must admit that I had assumed this was a password reset code. 

Sandtree

GDB2222 said:

Is it slightly worrying that some bot only needs to know an email address, request a reset code, type in a random 7 digit code, and around 1 in 10 million times, it's cracked the account?

If a single machine can run say 1000 parallel processes, each taking say 3 seconds, it can crack 3 accounts per day. That's enough to keep some hacker, sitting in his pyjamas in Siberia, busy analysing the accounts for banking information. If he wants to be busier, he just buys a second PC.

Any decent system will have a brute force detection system and so after X number of unsuccessful tries will either lock the account and require some form of alternative recovery action or create a gap between when the next attempt can be put in which extends after each wrong entry... my iPad screen broke and was getting phantom inputs, at one point it was 12 hours or so I had to wait for the next attempt and would have gone to a day had it gone in wrong then.

10 million numbers start to take a long time to cycle through when you are having to wait a week between each attempt etc.

GDB2222

Sandtree said:

GDB2222 said:

Is it slightly worrying that some bot only needs to know an email address, request a reset code, type in a random 7 digit code, and around 1 in 10 million times, it's cracked the account?

If a single machine can run say 1000 parallel processes, each taking say 3 seconds, it can crack 3 accounts per day. That's enough to keep some hacker, sitting in his pyjamas in Siberia, busy analysing the accounts for banking information. If he wants to be busier, he just buys a second PC.

Any decent system will have a brute force detection system and so after X number of unsuccessful tries will either lock the account and require some form of alternative recovery action or create a gap between when the next attempt can be put in which extends after each wrong entry... my iPad screen broke and was getting phantom inputs, at one point it was 12 hours or so I had to wait for the next attempt and would have gone to a day had it gone in wrong then.

10 million numbers start to take a long time to cycle through when you are having to wait a week between each attempt etc.

If you have a list of say 100m email addresses to cycle through, a brute force detection system has a more difficult task, although it can obviously detect a large number of attempts from a single IP address.