[iEchoic]

Four times a day, I get an email notification that someone requested a password reset for my Microsoft account, which gives me a six-digit number to recover my account. So every day, an attacker has four shots in 1,000,000 of stealing my account by just guessing the number. They've been doing this for years.

If the attacker's doing this to thousands of accounts - which I'm sure they are - they're going to be stealing accounts for free just by guessing.

I wrote up a security report and submitted it and they said that I hadn't sufficiently mathematically demonstrated that this is a security vulnerability. So your only option is to get spammed and hope your account doesn't get stolen, I guess.

[Lukas_Skywalker]

I have added what I think they call login alias to my account. This blocks logins using the normal account username (which is my public email address), and only allows them via the alias (which is not public and just a random string). Not a single foreign login attempt since I enabled the alias.

You can enable it on account.microsoft.com > Account Info > Sign-in preferences > Add email > Add Alias and make it primary. Then click Change Sign-in Preferences, and only enable the alias.

[bsimpson]

This sounds a lot like Steam, where the name on your profile page is a vanity string that you can change whenever you want, but the actual username in their system is an unrelated (and immutable) ID.

[theschmed]

I hadn't thought of this use case for aliases.

I had to make my Outlook email primary again on my Microsoft account, unfortunately, because of how I use OneDrive. I send people share invitations and there are scenarios (or at least there were the last time I checked) where sending invitations from the primary account email is the only way to deliver the invite. If your external email alias is primary, they'll attempt to send an email from Outlook's servers that spoofs the alias email :/

[Lukas_Skywalker]

I just tested it, and it looks as if that was fixed. It seemed to work for me.

[Hnrobert42]

Then, is the login alias sort of a password? In that, it is something you know.

[Lukas_Skywalker]

In a way, yes. I don't count on it being private though. But it appears nowhere online, so it's not used by credential stuffers or other bots.

[BiteCode_dev]

Yep, back to passwords, but less secure ones.

[ramses0]

joe@smith.com, joe.smith@bigcompany.com

...those will get "drive by" attacks no matter what.

Interesting that they're letting you alias it back to "coolkid5674321" again...

[nomercy400]

I had to do this as well. My account got spammed daily in such a way I had to verify my account and change my password on every login.

With the alias I no longer have this issue.

[lanfeust6]

This is what I do. The crucial thing is to only use the alias for logging in.

[NoGravitas]

If they are doing this to 125,000 accounts, they should get an average of one account per day, right? So on average it would on average take them 342 years to get any specific account, but as long as they aren't trying for any particular account, they've got a pretty good ROI.

I guess the fix for this would be exponential backoff on failed attempts instead of a static quota of 4 a day?

[vdfs]

Why would doing this to 125K accounts give them access to one account per day? The chances of guessing 6-digtis pin code for each account is the same (10^6) regdless of how many accounts your are attacking

[MiddleEndian]

It's never truly guaranteed and the numbers aren't quite one account per day at 125k accounts, but:

10^6 digits = 1,000,000 possibilities

125,000 accounts x 4 attempts per account per day = 500,000 attempts per day

---

1-(1-1/1,000,000)^500,000 ≈ 39%

So every day they have a roughly 39% chance of success at 125,000 accounts.

---

At a million accounts:

1-(1-1/1,000,000)^(4×1,000,000) ≈ 98%

Pretty close to 1 account per day

Off by a factor of 4 but the concept stands.

---

And 125k accounts will be close to guaranteed to getting you one each week:

1-(1-1/1,000,000)^(7×4×125,000) ≈ 97%

[sobani]

> 1-(1-1/1,000,000)^(4×1,000,000) ≈ 98%

> Pretty close to 1 account per day

No, this means there is a 98% chance you get _at least_ 1 account.

`1-1/1,000,000` is the probability you fail 1 attempt. That probability to the 4millionth is the probability you fail 4 million times in a row. 1 minus _that_ probability is that the probability that you _don't_ fail 4 million times in a row, aka that you succeed at least once.

The expected number of accounts is still number of attempts times the probability of success for 1 try, or: 4 accounts.

[toast0]

What are the chances of getting 500,000 guesses (4 each for 125,000 accounts) wrong ? My math says 60%, so probably not one account per day, but if they keep it up for a week and everything else holds, there's only a 3% chance they haven't gotten any codes right.

[anonymars]

Guess the same code for every account.

Imagine the extreme case, where they pinged one million accounts and then tried the same code (123456) for each one. Statistically, 1 of those 1,000,000 six-digit TOTP codes will probably be 123456

[klabb3]

The code length should ideally be adaptive and increase if this happens.

[ccppurcell]

I get it too! I always assumed it was some hangover from that time I had to use crosses self Microsoft teams.

[bradleyankrom]

I get a similar message constantly for an old Instagram account - "sorry you're having trouble logging in, click here to log in and change your password!"

[Aachen]

I had the same issue on a useless old account. Could see the IP addresses of the sign-in attempts, they came from all over the world, all different ISPs, mostly residential. Nearly every request was from a unique /16! If botnets are used for something this useless, I dread to think what challenges at-risk people face

Adding 2FA was the solution

I couldn't find the method they were using in the first place, because for me it always asks for the password and then just logs me in (where were they finding this 6-digit email login option?!), but this apparently blocked that mechanism completely because I haven't seen another sign-in attempt from that moment onwards. The 2FA code is simply stored in the password manager, same as my password. I just wanted them to stop guessing that stupid 6-DIGIT (not even letters!) "password" that Microsoft assigns to the account automatically...

[jiggawatts]

I was authenticating a set of scripts five times for each run with MFA. Once, it asked me for six MFA prompts with no disambiguating info.

Did I click “Yes” to the attack the fifth time, or was the sixth the attack? Or was it just a “hiccup” in the system?

Do I cancel the migration job and start from the beginning or roll the dice?

It’s beyond idiotic asking a Yes/No question with zero context, but that was the default MFA setup for a few hundred million Microsoft 365 and Azure users for years.

“Peck at this button like a trained parrot! Do it! Now you are ‘secure’ according to our third party audit and we are no longer responsible for your inevitable hack!”

[hbn]

> “Peck at this button like a trained parrot!

All of the prompts users get these days in an effort to add "security" have trained users to mindlessly say "yes" to everything just so they can access the thing they're trying to do on their computer; we've never had less secure users. The cookie tracking prompts should probably take most of the blame.

I know with the last major macOS update, nearly every app is now repeatedly asking if it can connect to devices on my network. I don't know? I've been saying yes just so I don't have stuff mysteriously break, and I assume most people are too. They also make apps that take screenshots or screen record nag you with prompts to continue having access to that feature. But how many users are really gonna do a proper audit, as opposed to the amount that will just blindly click "sure, leave me alone"?

On my phone, it keeps asking if I want to let apps have access to my camera roll. Those stupid web notifications have every website asking if it can send notifications, so everyone's parents who use desktop Chrome or an Android have a bunch of scam lotto site ad notifications and don't know how to turn them off.

[mouse_]

Untold billions towards cyber security theater and there's still hackers. No one saw that coming!

[hbn]

I'd make a joke about cybersecurity theatre but I think zscaler will block the comment from being submitted

[bongodongobob]

Should be using app registrations for that, not user accounts.

[SergeAx]

Four times a day, times say 5 years = 7_300 tries. Times 10_000 accounts ≈ 73_000_000 tries. They should have access to ~70 accounts by now.

Cheapest VPS is $5/month, residential proxies are $3/1Gb, which equals ~$200 / 5 years.

$3 per hacked account — is it good unit economy?

[Randor]

Microsoft allows you create a second "login only" account username to access your e-mail and other services. I was having the same problem as you but much worse. Check into it, only takes a few minutes to setup.

[timdumol]

Does adding MFA not protect you against this? If you are secured by a TOTP on top of your password, it should not matter if they manage to reset your password.

[Huppie]

Somewhat, but imho the Microsoft MFA is also full of similar flaws.

As an example: I've disabled the email and sms MFA methods because I have two hardware keys registered.

However, as soon as my account is added to an azure admin group (e.g. through PIM) an admin policy in azure forces those to 'enabled'.

It took me a long time debugging why the hell these methods got re-enabled every so often, it boils down to "because the azure admin controls for 'require MFA for admins' don't know about TOTP/U2F yet"

Imho it's maddening how bad it is.

[w3ll_w3ll_w3ll]

Or you could enable MFA?