Security issue with Microsoft authenticator account used in android device

Question

My personal outlook email account is hacked and I'm not sure if I'm still the lone owner of the email account. Because once a hacker hacks and adds the outlook email account in Microsoft authenticator app in android, he gets to retain account control even after changing passwords and sign out of all device option. Also there is no restriction like Authy to limit the number of devices an authenticator can be installed. For personal email accounts the risk is higher

Answer 1

Hello nk_907,

Thank you for your prompt response.

It is concerning to know that there is someone who can access your emails by setting your account from a Microsoft authenticator app. You can check it from your security dashboard if there is another way added to sign in your account. Signing in your account without using a password but using the code through the Microsoft authenticator app is an option. You can get back signing your account using password. To make it, follow the steps below:

• Sign in to your Microsoft Account Additional security options.
• Under Passwordless account, select Turn off and then Next.
• Follow the prompts to add a password back to your account.

You can also turn off using Microsoft authenticator app when signing in your account. See the steps below:

• Sign in to your Microsoft Account Additional security options.
• Under Password-free account, select Turn off.
• Follow the prompts to verify your account.

You can also click Sign me out next to additional security if you think someone might have access to your account. In that way, you will be sign out from your trusted devices including apps and browsers and anywhere else your account was used to sign in.

We agreed that what you have done is just right to make your account more secure. With regards to your concern if you can get an eligible bounty program with reporting this security flaw, the workaround was already established, and we are glad to know that you got it quickly and we truly appreciate for reporting this to us immediately to prevent more damage with your account. You deserved an appreciation and what we can suggest is to provide feedback so it be heard. We suggest bringing it on through the dedicated support for Microsoft authenticator app. The link can be found here: Contact Microsoft Authenticator Customer Service (2023) | Fast Replies (appcontacter.com)

By the way, the articles concerning with use of Microsoft authenticator app can be found through the link below:

• How to go passwordless with your Microsoft Account - Microsoft Support
• Set up Security info from a sign-in page - Microsoft Support

We look forward to your response. Kindly let us know, if there is any misunderstanding or clarifications of our description by sending us a reply.

Sincerely,

Tomm_A

Microsoft Community Moderator

Answer 2

Solution to the security issue would be to Disable passwordless sign-in on Microsoft authenticator when the user updates the login-in password or opts for sign out from all devices. That way it will force all users to login with proper credentials. I guess I should be eligible for bounty program for reporting this security flaw. If required I can share pictures to visualize the issue. Thanks

Answer 3

I will give an example

Suppose 10th April my email was hacked and hacker gets to add the Email account in his mobile device separately with password which he received through phising (since there is no limit on number of devices authenticator can be used for the same email)

On 12th April I recognize the hack, I change the password of my Outlook email account and use sign out of all device option. Those two security settings only removes access from Outlook app but not from authenticator. Authenticator allows access to emails and also access to change the password or any other security settings anytime for hacker.

Today I have control over email passwords but hackers get to see all my emails even after changing the passwords and if he wants he can change security settings anytime. I don't face any error at present in logging into the email account.

Once an account is added in authenticator, he can access email without even knowing the updated password information.

Reality:-

I recognize that my alternate gmail account which was used as a one of 2fa alternative email was hacked (under logged in devices someone from different state was there). I removed the alternate gmail later on. But today I don't have confidence that I'm the only one able to access my email informations even though I have control over current password.

I'm responding to this post by accessing email account directly from authenticator without even needing to sign in with two factor verification after password change

Answer 4

Hello nk_907,

Thank you for sharing your concern here in Microsoft Community Forum and we hope that all is well.

Based on the description, you are having issue with your Microsoft account that was hacked. Let us see how we can help.

Before we proceed any further, we would like to set your proper expectation that Microsoft account recovery is managed by a completely automated server, and we do not have manual access to it. Microsoft takes the security and privacy of our customers very seriously. We are committed to protecting your personal information, and the meticulous account recovery process is intended to protect you from any possible malicious activity. For now, please allow me to do the best I can in helping you with the process.

We would like to ask few questions to help us understand the issue better.

1. Did you set up personally your Microsoft account in Microsoft authenticator app?
2. When you say your personal email account was hacked, does it mean you do not have access to the security information added to your account?
3. Did you mean the hacker had setup your email account to Microsoft authenticator app?
4. When you sign in your Microsoft account in Microsoft account landing page, are getting an error message?

For the meantime, you may use the Microsoft account sign in helper tool to check any issue with your Microsoft account. Make sure to select the correct option from this list and follow the instructions exactly. This has helped many account holders recover their account. We hope this helps you too! It is also possible to contact live support through this tool. See the link below.

• Contact - Microsoft Support

Additionally, you may check from the link below on how to use Microsoft Authenticator app.

• How to use the Microsoft Authenticator app - Microsoft Support

We look forward to your response. Kindly let us know, if there is any misunderstanding or clarifications of our description by sending us a reply.

Sincerely,

Tomm_A

Microsoft Community Moderator