Share via

Question regarding refresh tokens and session ids

Donkin 45 Reputation points
2023-04-25T03:17:02.16+00:00

Hi, Recently my Microsoft account has been compromised. Someone was able to get my password and login information. I changed my password and everything but it is to my understanding that there is a token that they use to access my account. I don't really understand this fully but to my understanding, they are able to log into my account and have access to my account even if I change my password because they have the session token. Is there a way to kick them off or do I have to wait for the token to expire. If I have to wait, how long do I have to wait? I've seen various answers such as 1 day, 1 week, or even 90 days. I'd like to know the exact number of days so I can actually use my Microsoft account again. Secondly I tend to play Minecraft on my account and that is were the hack originated from. This their access limited to the game Minecraft or are they able to access all information on my Microsoft account? I really don't know a lot about software and session ID and the whatnot. I am scared for my privacy and information being stolen and how long it will take to clear. I'd appreciate any help I can get, Thank you!

Access
Access
A family of Microsoft relational database management systems designed for ease of use.
336 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,776 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,447 questions
Accepted answer
  1. Limitless Technology 44,096 Reputation points
    2023-04-25T14:27:45.4533333+00:00

    Hello, In this case, you are referring to a authentication or session token spoof. After changing your password, you should check if there are other accounts connected to your account as they would receive synched emails with password resets, etc.. You can follow this link to see the linked accounts https://go.microsoft.com/fwlink/p/?linkid=842245 If an account was present, remove it, set up Multi Factor Authentication using the link below and then change your password again. https://support.microsoft.com/en-us/account-billing/turning-two-step-verification-on-or-off-for-your-microsoft-account-b1a56fc2-caf3-a5a1-f7e3-4309e99987ca#:~:text=Go%20to%20Security%20settings%20and,verification%20to%20turn%20it%20off. On the other hand, Access tokens have a lifetime of 60-90 minutes (75 minutes on average) as specified here: https://learn.microsoft.com/en-us/azure/active-directory/develop/access-tokens#access-token-lifetime --If the reply is helpful, please Upvote and Accept as answer--

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,431 Reputation points
    2023-04-26T18:18:18.82+00:00

    Hello @Donkin , adding to @Limitless Technology answer, session tokens can last from 24 hours up to 90 days. They, however do not provide unlimited access to every resource you account has authorized. This depends, also, on the previously logged in application sessions.

    Additionally, and for Microsoft personal accounts, after resetting your password can go to Security and click Sign me out. All Microsoft but Xbox sessions will be terminated in around 24 hours. During that timespan you can review your Activity to see if there's any unexpected login attemps and choose to re-secure your account.

    For additional recommendations take a look to How to help keep your Microsoft account safe and secure.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

    0 comments