Share via

Security risk on email log-in screen

Algernon 5 Reputation points
2026-02-09T19:16:10.79+00:00

My main email account is not with Microsoft. For privacy reasons, however, I still use my old Microsoft Hotmail address for some purposes.

When I log on to it in Outlook, it displays the account's verification address as an optional method of confirming my ID.

That shows my personal domain (right of the "@"), of which I am the only user, in full, and so would link the Hotmail address to me, for any attacker trying to log in. This is a signifiant privacy and security issue.

It happens in new private windows, so is not cookie based.

There doesn't seem to be an option to turn it off, or to select the option to verify by password as the default, without displaying my domain. Is there? Is there any other way to prevent the verification email address's domain from displaying?

How can the security issue be escalated?

Outlook | Web | Outlook.com | Account management, security, and privacy
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Chloe-L 10,090 Reputation points Microsoft External Staff Moderator
    2026-02-10T22:06:48.9066667+00:00

    Dear Algernon,

    Thank you for posting your question to the Microsoft Q&A.

    I completely understand your concern regarding privacy. You are using this Hotmail account specifically to maintain anonymity, so having the login screen display your personal domain—even as a "hint"—defeats that purpose. That is a very valid security observation.

    Currently, the Microsoft sign-in system is designed to display the domain of recovery emails (e.g., n*****@yourdomain.com) to help users remember where their verification codes are being sent. While this is helpful for most, I understand that for a custom domain owner like yourself, it inadvertently exposes your identity to anyone who sees that screen. Since this is currently a design behavior rather than a broken feature, the most powerful way to flag this as a security risk is through the Feedback Hub. This goes directly to the security engineering team.

    In the meantime, the most effective solution to protect your identity is to replace that specific recovery email with a generic one that cannot be traced back to you.

    Here are the steps to swap out that identification information:

    Step 1: Add a Generic Recovery Option

    This step gives the account a new "safe" place to send codes (like a generic Gmail, Yahoo, or a different phone number) before remove the private one.

    1. Log in to account.microsoft.com/security.
    2. Click on Advanced security options.
    3. Click Add a new way to sign in or verify.
    4. Choose an option that doesn't link to your identity (e.g., a dedicated "recovery" email address or the Microsoft Authenticator app).

    Step 2: Remove the Personal Domain

    Once the new method is verified, you can remove the one that is exposing you.

    1. On the same Advanced security options page, look for your personal domain email address.
    2. Click Remove.
    3. Confirm the removal.

    Once this is done, the login screen will only prompt you with the new, generic information (e.g., j*****@gmail.com), keeping your personal domain completely invisible to potential attackers.

    I hope this helps you regain that layer of privacy you need. Please let me know if you have any trouble accessing those security settings.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.