Like the title says, I’ve got yesterday an email with a code to access my Microsoft account and that made me suspicious because I wasn’t trying to login to my account. When I looked at the login attempts I saw that someone else was trying to access my account, I changed my password, activated TFA. Thinking of going through and buying a physical key like yubico to further secure my account. Any tips are appreciated.
Happened to me too yesterday. Gave me a big bump to my evening plans. Luckily I too have 2fa activated via 2 different systems {SMS AND second Mail address). They cracked my randomly generated password - which doesn't surprise me that much, brute force cracker are pretty effective nowadays.
What bums me is that I used this as an argument to teach a friend but he just used the same ol' reliable "naah, I'm too lazy". Can't change him, just told him to think about using 2fa everywhere money is involved. The rest is up to him.
What's also pretty bad from MS is that yes you can use several different mailadresses but no you can't prevent that all of them can be used as login. One is compromised but also used for mail traffic so I can't just delete it. But also can't prevent it from logging in to the account. Thanks MS..
I'm actually surprised that it'd be feasible to use a brute force approach to gain access to an online account. I would expect them to hit some kind of rate-limiting long before they'd find the correct password
Looking at my history, they're hours or a day apart. Probably no chance of getting into any halfway decent password that way, but if they can automate it with thousands of different email addresses, eventually they'd get an account with a weak password and get in.