Share via

Account hacked (Automatic Sync), what does it mean and e-mail recycling.

Anonymous
2019-07-22T12:20:44+00:00

Hello,

So last week my main e-mail account that I had for ~16 years was hacked.  Once (3 years ago) my data was leaked trough linked-in and some other sites and I took notice trough haveibeenpwned.com back then. This however was a very old password I didn't use anymore for any of my important accounts. My current password was also very different. Since that notice my email addresses and passwords never came up in the haveibeenpwned.com database. Still I was hacked and it was done trough IMAP with an app password I never made. The hacker synced (probably with VPN) from Russia, Iran and China and after 6 successful syncs, Microsoft finally blocked access after the hacker started to sync from India. I have no idea why it would be logical for a person to login from 3 different countries within a 4 hour span and not to be considered a treat... Eventually I decided to change my e-mail address and removed the old one. I moved most of my important accounts to my new address and all works fine. A clean start if you will. However some things don't sit right with me. I still have no idea how they entered my account trough IMAP with an app password. I scanned my PC multiple times with different software like Adw cleaner, Hitman pro and the Microsoft tool and nothing came up. I did have some sensitive data in my email box and I am afraid for ID theft. I did notify the police though and apparently they take this stuff serious. Still I would like to know how many emails they could have stolen if any, since most of the time when you sync your email with an app you only get the last 50 emails or so. Another issue I have is the following: I removed my hacked email address (the alias) on recommendation of the internet. On the alias delete page it explicitly says that aliases with @hotmail.com @live.com and @outlook.com will not be able to be used again. However when looking on google I found out that Microsoft recycles addresses after 270 days. Ref: https://www.google.com/amp/s/www.pcworld.com/article/2052586/microsoft-is-quietly-recycling-outlook-email-accounts.amp.html . I really don't want this to happen. Is there anyway to avoid this?

The Microsoft phone support has not been of any help. They give answers to questions I didn't ask, like: "fill this form that is totally unrelated to your problem". The phone menu is also very tedious and can't seem to get anyone on the phone anymore. They told me to arrange a phone call appointment on https://support.microsoft.com/nl-nl/agents however it redirects me to a parental control page.

I really hope someone here is able to give me some answers and maybe can help  me. Thanks in advance!

Outlook | Web | Outlook.com | Account management, security, and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2019-07-22T14:32:49+00:00

    >>

    However when looking on google I found out that Microsoft recycles addresses after 270 days.

    >>

    That is old information. They no longer allow addresses to be reused/recycled. Once an account is closed or you delete an alias from an account, it's no longer available, even to the person who had the address.

    See https://go.microsoft.com/fwlink/p/?linkid=2086738 for the Microsoft account activity policy.

    If you haven't accessed the account in 5 years it will be deleted (closed for good). Note that this is changing as of August 30, 2019: accounts will be closed after 2 years of inactivity. See https://www.microsoft.com/en-us/servicesagreeme... for upcoming changes.

    >>

    I still have no idea how they entered my account trough IMAP with an app password.

    >>

    Do you have 2 factor authentication enabled and did you set up any app passwords?

    As an FYI, instead of deleting the address (if people still used it) you could have removed the ability to log in using that address and added aliases to the account.

    Was this answer helpful?

    7 people found this answer helpful.
    0 comments
  2. Anonymous
    2019-07-22T14:57:17+00:00

    Thanks you Diane for the reply. Hearing this is kind of reassuring. To awnser your last point, I figured that out yes. After deleting the alias though. But in the end I am actually kind of happy it is deleted.

    The IMAP thing is apparantly something many have encountered with all security measures. Since IMAP doesn't need 2nd step verification. But to be honest it wasnt on when I got hacked.

    Was this answer helpful?

    3 people found this answer helpful.
    0 comments
  3. Anonymous
    2019-07-22T15:16:59+00:00

    Definitely weird as to how they got an app password then. (I think i will delete my app passwords, just to be safe.)

    Was this answer helpful?

    2 people found this answer helpful.
    0 comments
  4. Anonymous
    2019-07-22T15:04:29+00:00

    >> Since IMAP doesn't need 2nd step verification.

    Honestly, you shouldn't be using imap to access outlook.com. mobile devices support it as outlook.com/exchange and will ask for the 2nd factor. The bigger problem IMHO is using public wifi. I also would reset app passwords every few months.

    Was this answer helpful?

    2 people found this answer helpful.
    0 comments
  5. Anonymous
    2019-07-22T15:13:54+00:00

    I never used imap and that is why I am confused. Didn't even know about app passwords before the hack.

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments