Microsofts Account Recovery Process is not keeping up with the times.

Markus Orchowski1 · Jan 5, 2024

Recently my son was phish through discord and had his Microsoft Account immediately hijacked. Although he had two step verification on, he did not have additional MFA protection, however I don't think that would have helped.

Immediately after the successful phishing attempt, the hacker added their email address to the Microsoft Account, set it to the primary and removed his email account. He was notified of these changes with emails saying that if this was not his intention to sign in and review login activity. Unfortunately the hackers worked so quickly that once he received the email and attempted to sign in within 2 minutes of the attack, the account was already gone.

Now Microsoft offers one and only one method to recovery Microsoft accounts. That is the automated tool that is severely lacking and makes hijacked account impossible to recover. The problems are the following:

accounts with multi-step authentication are not recoverable

the tool ignores login history

Microsoft Allows email addresses with the account to swapped out and reused instantly

According to this site: How to Reset & Recover Microsoft Account - Microsoft Community if the account has multi-step turned on, the recovery tool will not proceed. This one step which is enabled by default on all accounts, means that all Microsoft Accounts are not recoverable.

The tool also says that you should use the same computer as you had been using to. Presumably Microsoft maintains a record of login information such as computer and IP Address. If an account had been logged into every day from the same computer and IP address for 4 years and then it changes to something different, if the account recovery tool request form came from the same computer and IP address of the original that matches the login for 4 years, this would be a very quick and easy confirmation that the rightful owner is requesting access.

Finally when my son attempted to login 4 minutes after the attack with the email address, Microsoft Prompted him to setup a new account and allowed this to happen. Most systems would prevent reuse of an identifier within a set time period 1 hour, 4 hours 24 hours whatever. But apparently not with microsoft. Furthermore when we originally attempted to reset the account based on the information provided by the security notification that the email address had changed, the hacker again changed the email address to something entirely different and the Microsoft Account Recovery tool said, sorry this account does not exist.

So where does this leave us. According to all the forums and help centers and readme. No human at Microsoft can recover the account and the Tool which is fully automated can't do anything else then what it is programmed to do.

:)

Gabriel Limback

To recover your account, you can contact Microsoft as they do have logs of previously added emails. Then add proof of transactions or ownership before the initial hacking. To prevent this from happening you ensure that your password for your account isn't on any websites nor account password saver/manager. To decrease your chances please don't download suspicious files, scanning QR codes or anything that you are not sure of. To prevent your chances of not being hacked & a very secure layer of protection you can buy a Hardware Security Keys

Courtney Todd

Hi Markus O, my name is Courtney and I would be happy to help.

I'm sorry to hear that someone stole your account. I know how frustrating it can be when this happens. Let's say that the only alternative you have at this moment is to send the account recovery form (If your information was deleted there is nothing to do unfortunately), I have also been through this situation, so I can give you some recommendations:

The first thing is to enter information that the account has, in case a phone number or card has been deleted, you should simply omit that information and not add it to the form. That said, you can enter the following link:

https://account.live.com/acsr

Please note that Support cannot help recover accounts, but in that case, if you want to contact them and talk in a live chat for more detailed information, you can access the following link.

Support: https://support.xbox.com/contact-us/

Please note that this is a Microsoft public forum, where we are gamers like you trying to guide/help other gamers solve basic problems they are having, this means we are not Microsoft employees.

Information source (Credits): https://answers.microsoft.com/thread/50d0d753-c765-4478-933f-8e005c780dd0

I hope this information has been useful to you.

Best regards,
Courtney.

Rodrigo Oliver

Hello John,

You can try the Account Recovery Form: https://account.live.com/acsr

Detailed steps on how to use the Account Recovery Form can be found here: https://support.microsoft.com/office/b19c02d1-a782-dee6-93c3-dc8113b20c42

Microsoft takes account security very seriously, that's why Account Recovery is an automated process with no human influence. If you don't have the correct information, you may not be able to get through account verification using the Recovery Form.

The Account Recovery Form requires adequate information to prove that you are the owner of the account. The Account Recovery Process can be a time-consuming process, but providing as much info as possible from the start of the process will increase the possibility of being verified by the automated process. You'll need to keep trying until you're verified by Microsoft.

Remember to use a familiar device from which you've frequently accessed your Microsoft account, as well as a familiar location. Microsoft will review your responses and respond within 24 hours. If you are verified, instructions on how to log back into your account will be sent to you, and if you are not verified, you will need to submit the Account Recovery form again. You can do this up to 2 times every 24 hours.

It's important to note that Microsoft Support will not be able to grant you access to your account, you will be sent back to the Account Recovery pages that have been linked above.

kyle_m4496

Hi Darmok. My name is Kyle and I'm an independent advisor.

It is important to keep your account's information safe, secure, and up to date, to avoid the risk of losing your account.

To protect customer privacy, Microsoft can only help customers verify their account ownership through the online password recovery process: https://account.live.com/acsr

Customer support cannot assist with account recovery. The recovery form is partially automated, if it detects you haven't provided enough information it will deny your request. However, requests are forwarded to Microsoft Support if needed.

If you remember any new details that might help with the recovery process, it's encouraged to keep trying to recover your account using the online account recovery form.

https://support.xbox.com/help/account-profile/manage-account/lost-password-solution

Rodrigo Oliver

Hi Kevin, my name is Rodrigo. I'm an Independent Advisor and a member of the Microsoft community and I'd love to assist you today.

I truly am sorry to hear that.

Sadly, if you can't provide the necessary information, it won't be possible to recover the account.

Microsoft takes your security very seriously, and to protect customer privacy we can only help customers verify their account ownership through the online password recovery process.

If you remember any new details that might help with the recovery process, we encourage you to keep trying to recover your account using the online account recovery form.

You can find helpful tips on how to use the recover form on this link:

https://support.microsoft.com/accou...ery-form-b19c02d1-a782-dee6-93c3-dc8113b20c42

If your Microsoft account recovery request wasn't granted, you can keep trying as many times as you want, up to two times per day.

Source: https://support.xbox.com/help/account-profile/manage-account/lost-password-solution

I hope this helps!

Microsofts Account Recovery Process is not keeping up with the times.