[laurencei]

Yeah - and what is crazy is when you think about it - Microsoft generates a 6 digit code.

So it is a "one in a million" to randomly guess what the code is on any given login.

But it is "one in a million" for each Microsoft account you know about - and if they have millions of email addresses, and automate it each day (I also get attempts 1-2 times per day).

Yes - the odds are small - but there is a greater than 0% chance someone can randomly get into your Microsoft account - and there is no way to stop it - even with 2FA etc - this bypasses all of that!!!

Crazy...

[joezydeco]

I'm a little confused. Does the code get generated on any attempt to log in, or only those that have the password and MFA is activated? Or when someone attempts password recovery?

Because I'm a bit concerned if Microsoft passwords are leaking.

[laurencei]

When attempting to login to your Microsoft account, instead of typing your password you can do an optional "one time password" generation thing from Microsoft. So instead of typing your password +2FA - they email you a 6 digit "one time password" that you can use instead.

You cant disable this.

So all Microsoft accounts could have a daily 1 in 1 million chance of been overtaken.

Odds are low - but if you then spam this across thousands of attempts per day - they would statisically "get lucky" from time to time...

[firebat45]

One would think Microsoft wouldn't be stupid enough to provide endless amounts of one time codes for a single account. I would guess they provide 5-10 codes before escalating the login.

[joezydeco]

That makes much more sense, thanks. I'm guilty of using this from time to time as well.

[nitwit005]

If you have 500 million accounts you know of, you'd be breaking into around 500-1000 a day.

I suppose that's a decent rate, but it feels like most Microsoft accounts will just have something like Office or Minecraft set up.