Spamming Password Requests

MegaMan001

Someone has been trying to get into my various accounts by spamming password reset requests. I've changed my passwords, and everything has 2FA so I don't think I'm at a major risk, but is there anything else I can do?

I guess there's nothing stopping someone from just putting my email into any random website.

Dark Raven X

Yeah, there seems to have been a sharp uptick in hacking attempts recently. I get Facebook security codes every hour now, whoo. My Microsoft account got broken into this week too, and Lady Raven's Spotify yesterday. Feel like this is just what the internet is now. Pretty cool! :I

Reznik

Ticketmaster just got hacked so I assume that's going to fuel a lot of attempts in the near future.

I think the only other thing you can do is simply delete any accounts that you don't think you need anymore.

BahamutZERO

I've been getting a lot of login requests to my microsoft account and others with 2FA in the last few months as well, fortunately none of them seem to have anything more than my email address but it is annoying.

Riboflavin

Waaaaay back in the day I used Cain and Abel to try and crack a password, I think on a spreadsheet, I had forgotten and it told me it would take like 7 months for like 10 characters.

I don't understand how they do this today. Doesn't it lock out after a certain number of failed attempts? My work locks me out for 30 minutes if I fail 3 times.

The only thing I did in the last couple of years was add a couple characters to my passwords to make them more complex. I have 2fa on places that offer it.

Feral

Riboflavin wrote: »

Waaaaay back in the day I used Cain and Abel to try and crack a password, I think on a spreadsheet, I had forgotten and it told me it would take like 7 months for like 10 characters.

I don't understand how they do this today. Doesn't it lock out after a certain number of failed attempts? My work locks me out for 30 minutes if I fail 3 times.

The only thing I did in the last couple of years was add a couple characters to my passwords to make them more complex. I have 2fa on places that offer it.

Well, there's no way to know for sure what's hammering your account or why. But there are two common scenarios.

With the number of breaches we've had over the last decade, there's a good chance one or more of your passwords somewhere has been compromised. (Usually by a back-end breach, like some random website you signed up for 10 years ago had a poorly-encrypted database, and that database got leaked and decrypted.) The attacker knows that people often reuse passwords, so they just attempt to reuse your leaked password from oldshittywebsiteyouforgotabout.com and use it on microsoft.com.

That's the biggest reason why you shouldn't reuse passwords across different sites.

The other scenario is password spraying. Instead of hammering a single account all day, they use a common password across thousands of accounts at once. They figure that somebody is using "June2004" or some other simple password string. They don't need to waste time on guessing your password 5000 times, if they just guess 3 passwords across 5000 different usernames.

MegaMan001

As an update to this it's clear that scammers have got my email (which...isn't exactly a coup) and keep trying to create accounts left and right in my name.

I spent the time to go through all my stuff and change everything and delete every old account I could - shout out to Papa Johns which does not let you delete your account.

Disney+ keeps sending me passwords reset requests. Around 500 requests since I first posted. Doesn't speak well to their system since I canceled my account and I haven't gotten any real message from them.

HappylilElf

I've been getting Microsoft 2FA emails for months at this point and the only conclusion I can figure out is that there is someone who thinks my email is their email or something and instead of figuring that out they just keep trying

I wish there was a way to contact Microsoft and have them reach out to whoever the hell it is and tell them they have the wrong email or something but alas

Heffling

Feral wrote: »

Riboflavin wrote: »

Waaaaay back in the day I used Cain and Abel to try and crack a password, I think on a spreadsheet, I had forgotten and it told me it would take like 7 months for like 10 characters.

I don't understand how they do this today. Doesn't it lock out after a certain number of failed attempts? My work locks me out for 30 minutes if I fail 3 times.

The only thing I did in the last couple of years was add a couple characters to my passwords to make them more complex. I have 2fa on places that offer it.

Well, there's no way to know for sure what's hammering your account or why. But there are two common scenarios.

With the number of breaches we've had over the last decade, there's a good chance one or more of your passwords somewhere has been compromised. (Usually by a back-end breach, like some random website you signed up for 10 years ago had a poorly-encrypted database, and that database got leaked and decrypted.) The attacker knows that people often reuse passwords, so they just attempt to reuse your leaked password from oldshittywebsiteyouforgotabout.com and use it on microsoft.com.

That's the biggest reason why you shouldn't reuse passwords across different sites.

The other scenario is password spraying. Instead of hammering a single account all day, they use a common password across thousands of accounts at once. They figure that somebody is using "June2004" or some other simple password string. They don't need to waste time on guessing your password 5000 times, if they just guess 3 passwords across 5000 different usernames.

I would also add that these people buy and sell lists of hundreds of thousands to tens of million email account names. So even if it's 3 guesses and then you're locked out for half an hour, they just set it up to do 3 guesses and then go to the next email. By the time they reach the end of the list, the start of the list has timed out.

bowen

HappylilElf wrote: »

I've been getting Microsoft 2FA emails for months at this point and the only conclusion I can figure out is that there is someone who thinks my email is their email or something and instead of figuring that out they just keep trying

I wish there was a way to contact Microsoft and have them reach out to whoever the hell it is and tell them they have the wrong email or something but alas

Rumor is there was a huge Microsoft data breach that hasn't been announced yet.

Highly recommend everyone change their Microsoft account passwords if you haven't done so in a few weeks.

BahamutZERO

HappylilElf wrote: »

I've been getting Microsoft 2FA emails for months at this point and the only conclusion I can figure out is that there is someone who thinks my email is their email or something and instead of figuring that out they just keep trying

I wish there was a way to contact Microsoft and have them reach out to whoever the hell it is and tell them they have the wrong email or something but alas

this has been happening to me too, I think there's just a large scale botting operation doing something with the emails on the MS account login specifically

BahamutZERO

bowen wrote: »

HappylilElf wrote: »

I've been getting Microsoft 2FA emails for months at this point and the only conclusion I can figure out is that there is someone who thinks my email is their email or something and instead of figuring that out they just keep trying

I wish there was a way to contact Microsoft and have them reach out to whoever the hell it is and tell them they have the wrong email or something but alas

Rumor is there was a huge Microsoft data breach that hasn't been announced yet.

Highly recommend everyone change their Microsoft account passwords if you haven't done so in a few weeks.

well fuck

BahamutZERO

ok actually logged in to my account and looked at sign in activity, and yep my email has been getting hammered with 3 incorrect password guesses every hour from the ass ends of the world for months. Clearly someone trying to brute force MS account passwords.

Gilgaron

I just got a credit card in the mail I didn't request, and the phone rep seemed like she'd been handling quite a bit of those the day I called. I got a call from a slightly more frantic callroom the following day confirming that I didn't request yet another card from them, the rep's tone was very "Yeah I'm sure that this is fraudulent but I'm supposed to double check"

Edit to add per @BahamutZERO 's idea I checked my login attempts for my MS account and it has gone from ~3 a day to one every two hours. A variety of things, too, like account sync attempts, mobile and desktop logins, so... that's fun.

MegaMan001

Well. Fuck! I'm glad it isn't just me. Someone want to make a real thread? Do we have one?

bowen

also anyone using the email component of 365, make sure no mail forwarders or rules have been set up, that's something they've done once they've gotten access to forward all the emails to an external domain, so once you attempt to reset access with 2fa on all your accounts, they MITM attack you

Inquisitor77

BahamutZERO wrote: »

ok actually logged in to my account and looked at sign in activity, and yep my email has been getting hammered with 3 incorrect password guesses every hour from the ass ends of the world for months. Clearly someone trying to brute force MS account passwords.

I turn on MFA for everything (and use Authy as my default security token factor) for years precisely so I don't have to worry about stuff like this. But yeah, I suspect if you check any account login attempt history for anything tied to a reasonably-public username (e.g., your email address) then you will find that they constantly get spammed on a regular basis.

(Just checked my Microsoft account and, yup, I get regular attempts from China, Brazil, and India pretty much every week.)

The only real solution to this problem is to set up alias emails for everything but it's a lot of annoying work just to avoid a problem that's blocked with a password manager and MFA enabled.

PSA: If you're concerned that someone has managed to get in then you can just change your password and then force everything to get logged out (Microsoft has that feature in account management somewhere).