my account is taken over

Question

My account was hacked, and both the email and password were changed. I can’t reset the password, and with 2FA enabled, I can’t do anything. The only information I have is the passkey and the email it was replaced with.

Answer 1

Hi Aris Barbageorgopulos

Thanks for reaching out.

From what you described, it seems like the Microsoft account was taken over completely, and because two-step verification is enabled, you also can’t use the normal reset flow. I understand that’s a very difficult situation.

Please kindly note that this is a public user-to-user forum, I do not have the ability, tools to unblock, recover accounts or bypass security. Only Microsoft’s official recovery process can restore access.

To avoid repeating it the Q&A Assist reply under your post, could you please confirm whether you already tried the official recovery steps listed? If yes, what happened?

And do you still have the original account signed in anywhere at all (old PC, browser, phone, Xbox, etc.)?

In the meantime, here's what you can do next:

1, Try to sign in using the passkey via Other ways to sign in/ Sign-in options

If it works, immediately go to Microsoft Security page via https://account.microsoft.com/security > Manage how I sign in > review recent activity, remove unfamiliar sign-in methods and security info. Reference: Signing in with a passkey - Microsoft Support

2, If you see a message like "Security info change is still pending" and you did not make that change, Microsoft says to use the "let us know" option on that page to report unauthorized security changes. Please see What does “Security info change is still pending” mean? - Microsoft Support

3, If the passkey does not work anywhere, and the attacker changed the password and recovery details, then Microsoft’s supported path is only the official hacked-account recovery flow: How to recover a hacked or compromised Microsoft account - Microsoft Support

Microsoft states there is no manual override for consumer accounts when ownership cannot be verified, especially with two-step verification enabled.

You can reach out directly to the Microsoft Support team for further assistance:

• Go to Contact - Microsoft Support
• Search for "Account Recovery" in the search box.
• Click "Get Help", then scroll to the bottom and select "Contact Support”.
• Choose the appropriate Products & Services/ Category.
• Look for and select "Chat with a support agent in your web browser" (during business hours) or a similar callback option (if available). Explain your situation clearly.

Thank you so much for your time and understanding.

Answer 2

Follow the official Microsoft account recovery and hacked-account guidance. Because the email and password were changed, standard password reset will not be enough.

1. Start with the hacked/compromised account guide Use the official Microsoft troubleshooter for hacked accounts and follow it end to end: it walks through securing the account and using the recovery process if someone else changed the credentials.
2. Use the Microsoft Account Recovery form (ACSR) Since the sign-in email and password were changed, submit the account recovery form for the original Outlook/Microsoft account:
   • Go to the Microsoft account recovery form (ACSR).
   • Enter the original email address that was taken over and an alternate contact email.
   • Provide as many accurate details as possible (old passwords, approximate creation date, services used, etc.).
   • Submit from a device and location previously used with the account, if possible.
   • If the result is “not enough info,” update the answers and resubmit; the form can be submitted multiple times. For tips on filling it out, see Help with the Microsoft account recovery form.
3. If the account uses two-factor authentication (2FA) For accounts with 2FA, the recovery form cannot bypass 2FA. If a hacker has replaced the security info (phone, email, authenticator app) and the recovery form fails, there is no other supported method to regain access, and support cannot override this.
4. If you can still sign in briefly If sign-in is still possible on any device/session, immediately:
   • Go to the Microsoft account Security page.
   • Review Recent activity and mark any sign-ins that are not recognized.
   • Change the password to a strong, unique one.
   • Remove any unfamiliar security info (phone numbers, emails, authenticator apps) and keep only trusted methods.
5. If the account truly cannot be recovered If all recovery attempts fail and security info was replaced by the attacker, the account cannot be restored. In that case:
   • Create a new Microsoft account with a secure password and updated security info.
   • Update email addresses on other services to the new account.
6. Secure other devices and accounts
   • Run antivirus/malware scans on all devices used with the account.
   • Change passwords on other important accounts (email, banking, social media), especially if the same or similar password was reused.

For Outlook.com/Outlook on the web, all access is controlled by the underlying Microsoft account, so recovering that Microsoft account via the official processes above is the only supported way to regain mailbox access.

---

References:

• I can't sign in to my Microsoft account
• My username and password have stopped working
• Reset a forgotten Microsoft account password
• What happens if there's an unusual sign-in to your account
• Unable to change password in my Outlook - Microsoft Q&A
• My account got hacked - Microsoft Q&A
• Cannot Access Microsoft Account After Hacker Changed Email, Advice Needed - Microsoft Q&A
• hello my email was (Moderator note: PII removed)@icloud.com and now its (Moderator note: PII removed)@jerkoffmail.com can please someone help me and the team change it my username in xbox is (Moderator note: PII removed) please help me team and change it - Microsoft Q&A