Log into your Microsoft account on this link to check the recent activity on your account, do you find any attempted logins from locations/countries you do not recognize, and if so, is it indicated the attempted logins were successful.
I received a verification code I did not request.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 88%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Beverley Spooner
0
Reputation points
I received a code on 21/05/26 which i did not request. Also my gmail address was used a few weeks earlier to access an online conference meeting I had no knowledge of and my Windows security PIN does not work and I have not changed it. I have changed my email password. Without my usual PIN, I cannot change it to a new one. I have a Norton subscription, which says I have no threats and everything is working after a full scan. Am I compromised?
Windows for home | Other | Security and privacy
2 answers
Sort by: Most helpful
-
DaveM121 891K Reputation points Independent Advisor2026-05-22T08:42:30.7433333+00:00 -
AI answer
2026-05-22T08:09:47.91+00:00 Unrequested verification codes and sign-in prompts usually mean either someone is trying to access the account or another person mistyped an email/phone number. On their own, they do not prove compromise, but combined with a non-working Windows PIN and unknown use of the email on a conference service, the situation must be treated as a potential account compromise.
Take these steps in order:
- Treat unrequested codes and prompts as suspicious
- Do not use or respond to any verification codes that were not requested.
- If any sign-in prompt appears (for example, “Are you trying to sign in?”), always choose Deny if it was not initiated.
- If verification codes arrive by email, verify that they come from @accountprotection.microsoft.com and that they refer to an account that actually belongs to the user. If the account or request is not recognized, ignore the code.
- Secure the Microsoft account and email
- The email password has already been changed, which is correct. Ensure the new password is unique and not reused anywhere else.
- Review security info on the Microsoft account (phone numbers, alternate emails, sign-in aliases, and registered authenticator apps) and remove anything that is not recognized. Use a known-good device and network when doing this.
- If unrecognized phone/email security info is shown when trying to get a verification code, confirm the correct account name and domain are being used (for example, .com vs .co.uk). If the account details are correct but the security info is not, follow the account recovery guidance linked in the context.
- Address the Windows PIN issue
- A non-working Windows PIN does not by itself prove compromise; it can also result from local profile or credential issues. However, because there are other suspicious signs, treat the device as potentially at risk.
- Since the PIN cannot be used, sign in with the account password instead (if available) and then reset the PIN from Windows settings. If sign-in is not possible at all, use another trusted device to secure the Microsoft account first, then work through Windows sign-in recovery options.
- Check devices and apps beyond Norton
- A clean Norton scan is helpful but not definitive. Ensure all devices that access the Microsoft account or email are fully updated and scanned.
- If any device shows repeated suspicious behavior (for example, drafts or sign-ins appearing without action), consider backing up important data and performing a full reset of that device.
- Monitor and reduce future risk
- Watch for additional unrequested verification codes or sign-in prompts. If they continue, consider moving toward passwordless sign-in methods such as Microsoft Authenticator, Windows Hello, or security keys, which are more resistant to password guessing and phishing.
- Inform close contacts to be cautious about unexpected messages or meeting invites that appear to come from the account until confident everything is secure.
Whether the account is definitively compromised cannot be confirmed from these symptoms alone, but the combination of unrequested verification code, unexplained use of the email address, and PIN issues is enough to justify treating this as a potential compromise and following the steps above to secure both the account and devices.
References:
AI-generated content may be incorrect. Read our transparency notes for more information.