Microsoft Account Theft

Question

On Friday, January 30, 2026, we received alerts from Microsoft indicating that the passwords for two of our accounts had been changed without our authorization.

 

On the day of the breach, the attacker changed the account recovery settings to a different Email address. As a result, we are unable to recover the accounts since the verification codes are being sent to the attacker’s email address.

 

I believe that support can see that the attacker is using IP addresses that are not located in our origin and are not associated with us, unlike the address we have consistently used over the past years.

The attacker appears to be a Gamer who is using online games (we noticed activity on our Minecraft account), and we are concerned that additional valuable assets may be stolen.

We urgently request your assistance with the following:

-       Restoring access to our accounts

-       Reassigning our original email addresses, recovery emails, and correct personal details

-       Acting against the attacker to prevent similar incidents in the future

 

Please advise (& help ...).

Answer 1

Hey there! Nice to meet you!

I'm sorry you are experiencing this.

Since the security info has been replaced by the hacker, I'm afraid there is no other working method to recover the Microsoft account, and Microsoft Support cannot help either.

However, I would recommend reaching out to Minecraft Support regarding your Minecraft account if they can provide an alternative option:

https://help.minecraft.net/hc/en-us/request/new?ticket_form_id=360001225811

Thank you for your understanding.

Best regards,

Darhyl

Answer 2

need support help here

Answer 3

For consumer Microsoft accounts (Outlook.com, Xbox, Minecraft, etc.) support cannot manually override security or change ownership; only the official recovery and security processes can restore access.

Take these steps immediately:

1. Use the official hacked/compromised-account flow

• Go to the Microsoft account recovery/hacked-account help and follow the guided process to recover a hacked or compromised Microsoft account.
• The flow will ask for the affected email/phone and then either provide self‑help options or a way to contact an agent if available.
• Because the attacker changed the recovery email, do not rely on that address; instead, use an alternate email/phone that is still under control.

2. Use the Account Recovery form (if you can’t sign in)

• If sign‑in fails or codes go to the attacker, use the Microsoft Account Recovery form.
• Provide as much accurate detail as possible (old passwords, subject lines of recent emails, frequent contacts, approximate creation date, services used like Xbox/Minecraft, etc.).
• Submit the form from a device and location that has been used regularly over the years; this improves the automated checks.
• If the form is rejected, it can be updated and resubmitted after waiting for the lockout window to expire.

3. Review recent activity and unusual sign‑ins (if any access remains)

• If sign‑in is still possible on any of the affected accounts, go to the Recent activity page from the Security basics page.
• Review sign‑ins and mark any that are not recognized as “This wasn’t me” or choose “Secure your account” where available. This helps Microsoft flag the attacker’s IPs and sessions.

4. Secure any other Microsoft accounts and devices

• For any other Microsoft accounts still under control:
  • Immediately change passwords to strong, unique ones.
  • Turn on two‑step verification / multifactor authentication (MFA) and ensure the authenticator app and phone numbers are correct.
  • Check and correct security info (alternate email, phone) on the Security basics page.
  • Review Outlook.com mailbox rules and forwarding to remove any suspicious rules or forwarding addresses.
• On all PCs/phones used to access these accounts, run a full antivirus scan and ensure OS and security updates are installed.

5. If identity theft or payment fraud is suspected

• If any payment methods or personal identity data were misused, follow standard identity‑theft response steps:
  • Contact banks/payment providers, dispute unauthorized charges, and close or replace affected cards/accounts.
  • Consider placing a fraud alert with credit bureaus (where applicable).
  • File a police report and keep documentation of all actions.

6. Contact Microsoft Support where available

• For consumer accounts, direct support is limited, but:
  • Use the “Contact Support” or “Get Help” options from Microsoft Support pages after starting with “account hacked/compromised” or “account recovery” as the issue.
  • Explain that recovery info was changed and that there is suspicious gaming/Minecraft activity and non‑origin IP addresses.
• For Microsoft 365 work/school accounts, the tenant administrator must follow the compromised‑account response steps (password reset, revoke sessions, enable MFA, review mailbox rules/forwarding, etc.).

7. Ongoing protection

• After any recovery:
  • Change passwords again to ensure the attacker is locked out.
  • Enable and enforce MFA on all recovered accounts.
  • Regularly review Recent activity and security info.
  • Educate all users on phishing and how to recognize fake emails; legitimate Microsoft account‑security alerts come from domains ending in @accountprotection.microsoft.com.

These are the only supported ways to restore access and have Microsoft act on suspicious activity; support cannot simply reassign ownership based on a description of the incident.

---

References:

• How to recover a hacked or compromised Microsoft account
• What happens if there's an unusual sign-in to your account
• Notify us if you don't recognize activity on your account
• Help protect your Outlook.com email account
• Check the recent sign-in activity for your Microsoft account
• Protecting yourself from identity theft online