Sign up for free ElcomSoft Password Recovery Software newsletter

6 Responses to “Breaking into Microsoft Account: It’s No Google, But Getting Close”

  1. KoolFirE says:

    Very interesting article! Thanks!

  2. Rolf Gutmann says:

    Good job the americans say! Thank you!

  3. Sesh Murthy says:

    Background: My hotmail account recently got hacked. I have been using google authenticator for 2 factor authentication this account. I also have two app passwords for my Mac email and my iPhone email.

    Microsoft says that I owned a Windows PC which uses this account (I may have bought it, set it up, and returned it without deleting all information).

    Someone from Vietnam performed a successful sync using Exchange ActiveSync to my account on October 7th. At that time, my iPhone mail said that it could not access my hotmail account and asked for my password again. I entered it but did not change it.

    Next, someone from Indonesia signed in to my account on October 19th. They used the alias which is used only for skype.

    I had a skype account that was created independently of the hotmail account and somehow Microsoft has linked the two.

    I have since reset my password and deleted the Windows device. I have also removed all “trusted devices”.

    Microsoft says they cannot figure out how this happened. They seem to think it is user error. It is not.

    Questions:

    Has someone figured out how to compromise google authenticator. (Should I stop using Google Authenticator?)

    Can someone break onto my iPhone and access authenticator without my knowledge? (with a key logger for instance?)

    How did the first sync occur. Is that my stealing my app password from my iPhone or mac?

    Is there a mechanism to break into a hotmail account using a less secure skype alias?

    How do I report this to Microsoft and Google so that I get their attention?

    Thoughts:
    Would be nice if could use a hardware security key to log in to my Microsoft account like I can with my Google account?

    • Sesh,

      Thank you for sharing your story!

      We evaluated Google Authenticator a little bit but have not found any weaknesses so far. Even more, the Google token is pinned to the specific device and can be extracted/decrypted only with physical acquisition (and only from jailbroken 32-bit device, so up to iPhone 5/5C). So the only vector of attack I can think of is obtaining app password from your Mac (which is in fact also not very easy, until you saved it in a plain text and so it became accessible to some malware).

      Answering your other question — I do not think it is possible to compromise Microsoft Account through Skype, at least I never heard of that.

      To summarize, it is very hard to say what happened without performing deep investigation and analysis. But worst of all, I doubt that Microsoft can help 🙁

      Finally — yes, an ability to use the hardware key for accessing Microsoft account would be nice!