Mail compromised with 2FA

Question

I have two e-mail accounts connected to the same username, one with gmail handle, and one with Hotmail handle. Both with 2FA. One is my primary account and has my personal stuff and connections. The other one has NOTHING and is not in use on any site as far as i am aware. Today i got a warning on suspicious activity, the account without info was compromised and logged in Egypt, USA and Canada within a few minutes of each other.

My worry is: how did they get into my account when i have 2FA, did not approve any login, and the adress is not in use anywhere?

Answer 1

Can you confirm -

Are these failed attempts? Or did it actually show that they have successfully signed into your account?

Answer 2

Two-factor authentication greatly reduces the chance of account compromise, but it does not make it impossible. Based on the context, several explanations are plausible even when 2FA is enabled and the address is rarely used:

1. Password was known or guessed, 2FA not fully enforced

• If the account password was weak, reused from another breach, or guessed/brute-forced, attackers may have obtained the primary credential.
• If 2FA was not required on every sign-in (for example, a trusted device/session already existed, or the attacker exploited an existing authenticated session), they could sign in without triggering a new approval prompt.
• The guidance notes that password compromise attacks are responsible for most successful account hacks, and that multifactor authentication “can defeat almost all of them,” not literally all of them.

2. Existing trusted session or remembered device

• Many services only require the second factor the first time on a device/app or after a password change. After that, the device is treated as trusted and may not prompt again.
• If an attacker somehow obtained or hijacked a valid session token (for example via malware on a device, or a stolen browser profile/cookies), they could appear to sign in from multiple locations without a fresh 2FA challenge.

3. Sign-in activity view can look more alarming than it is

• Location is inferred from IP address and can be inaccurate, especially with mobile networks or VPN/proxy use. Activity that appears to be from multiple countries in a short time can sometimes be routing artifacts.
• However, if the browser, OS, or app shown in the sign-in history does not match normal usage, that is a strong indicator of real compromise.

4. Email address exposure and password reuse

• Even if the address is not actively used on sites, it may have been exposed in a data leak (for example, from an old registration or contact list) or guessed from a known naming pattern.
• If the same or similar password was reused on other services that were breached, attackers can try those credentials against this account.

What to do now

1. Immediately change the password on the affected account to a strong, unique password that is not used anywhere else.
2. Confirm that multifactor authentication is enabled and working, and re-register trusted devices if needed.
3. Review recent sign-in activity; if any successful sign-ins are not recognized, change the password again and update security info.
4. Check for any forwarding rules, inbox rules, or linked apps that could maintain access, and remove anything suspicious.
5. Apply the same hygiene to the primary account (strong unique password, MFA on, review sign-ins), since both accounts share the same username identity.

These steps align with the recommendation to use strong, unique passwords and multifactor authentication everywhere possible, and to treat unfamiliar successful sign-ins as potential compromise that requires immediate password change and security-info review.

---

References:

• The keys to the kingdom - securing your devices and accounts
• View your work or school account sign-in activity from My Sign-ins
• What to do if your email address is leaked