Microsoft account security Concern

Question

A few days ago, I filled this form : https://support.xbox.com/en-GB/forms/recover-your-microsoft-account

For my old Microsoft account wich was an outlook email address, and I was informed that the account appeared to have been compromised in the past and has since been deleted.

However, I am still concerned about a specific possibility and would appreciate your clarification.

My concern is that the attacker may have added a new email alias to the account and then removed my original alias [PII: Removed]@outlook.com. If that happened, I am worried that the account might technically still exist under a different alias, and that this could be why it appears as deleted.

To better understand how this works, I conducted a test. I created a new Microsoft account, changed its alias, and then submitted the recovery form using the previous alias. After one day, I received an email stating that the account’s security information appeared to have been changed. This suggests that the escalation team is able to distinguish between a deleted account and an account where the email alias has been modified, which is reassuring.

However, my concern remains regarding my original account. My last access to that account was about one year ago. I am worried that if a hacker changed the alias at that time, it might now appear as though the account was deleted, when in fact it still exists under a different primary alias.

It is also possible that I may have deleted the account myself about a year ago, although I am not completely certain.

Answer 1

Hello Vandad,  

Please note that our forum is a public platform, and we will modify your question to hide your personal information in the description. Kindly ensure that you hide any personal or organizational information the next time you post an error or other details to protect personal data. 

Thank you for reaching out to the Microsoft Q&A forum. I understand why this feels unsettling. In Microsoft accounts, an Outlook.com email address can be changed or removed as an alias, so the old address may stop working even if the account still exists under a different sign-in name. Alias events such as “Alias added”, “Alias deleted”, and “Primary alias changed” are recognized account activities, which matches the scenario you’re worried about.  

If the account was actually closed, Microsoft only allows reopening during the 30 or 60 day grace period; after that, it is permanently deleted and cannot be restored. Automatic deletion for inactivity applies after more than two years without signing in, so “last accessed about a year ago” would not typically fit the inactivity-deletion condition.  

I hope this clarifies things for you.  

Answer 2

When a Microsoft account is deleted, the associated email aliases are also permanently removed and cannot be reused. If your original alias (va***@outlook.com) was deleted, it cannot be associated with any Microsoft account again. If an attacker had access to your account and changed the alias, the account would still exist under a new alias, but it would not show as deleted in the same way as an account that was completely removed.

If you suspect that your account was compromised and the alias was changed, it is advisable to follow up with Microsoft support for further investigation. They can help clarify the status of your account and whether it still exists under a different alias. Additionally, if you have not accessed the account in a year, it is possible that it may have been deleted if you did not take action to keep it active.

For future security, consider enabling two-factor authentication and regularly updating your security information to protect your account from unauthorized access.