The Microsoft Coverup

If you have a Microsoft account, your account has been hacked. Microsoft accounts include Windows, Microsoft Store, Microsoft 365 and Office, One Drive, and Cortana for Office 365 and Microsoft Teams, Xbox, Outlook.com, Skype, Microsoft Teams, Windows Insider Program, Movies & TV, Microsoft Edge, and Bing if you sign in, as well as your payment information. As Microsoft states on its account pages “One account for all things Microsoft. One account. One place to manage it all.”

You have probably heard about the Microsoft Exchange attacks, the servers for Microsoft email service. If you haven’t, Chinese hackers infiltrated Exchange email servers creating a cybersecurity crisis. According to a Bloomberg March 12, 2021 article “the hackers breached banks and governments globally, as well as schools, hospitals, manufacturers and regional hotel chains.” Bloomberg, Yahoo Finance, and Venture Beat reported that the White House warned network operators about the global crisis.

The problem is that Microsoft has not informed consumers that their accounts have been hacked. This is a secret that they don’t want the public to know. They have thrown the average user to the wolves.

You see the Exchange hack was known in January according to reputable news sources. However, it takes Microsoft time to work through the bugs of the software to create a fix for the issue. Maybe that is what is going on with Outlook. It is part of the Microsoft email service. Well, no. That isn’t what is going on. My Outlook account was locked as of February 22nd. I tried for a week, yes, seven whole days, to unlock that account. Microsoft never informed me that there had been a hack.

Let me tell you how this went. On February 22nd, I wrote an email and tried to send it. Instead of the message being sent, I received a message that stated “Couldn’t send the following message.” Below the email content there was another error message “We’ve noticed some unusual activity in your Outlook account. To help protect you, we’ve temporarily blocked it. Please verify your account.” There was a “Verify” link after that message. Of course, I clicked it. That URL brought me to another message that stated “Your account has been locked. We’ve detected some activity that violates our Microsoft Services Agreement and have locked your account.” Then it offered to send me a verification code. On that page, I entered my phone number and clicked “send code”. Then came the really big surprise. The next page stated “usage limit exceeded. Try again tomorrow.” Wait a minute! I only tried once.

Now I will just give you highlights of the rest of the week. Every single day, the first try had exceeded the limit. On the third day, I figured out how to ask to have my account unlocked using my old Hotmail account. At least I could still log in to that account. I also figured out that I could change my password and personal information in my locked account! Isn’t that some sort of security breach? By the fifth day, I had figured out the correct form to use with my Hotmail account to verify that account then ask to have my Outlook account unlocked. Microsoft did their usual wonderful job of verifying me. They asked what the last three passwords that I had used for that account were. Who saves passwords that they don’t use anymore? They also asked me for the subject lines for the last three emails I had sent from this account. What? Should I keep a list of the subject lines of messages that I send in case I am locked out of my account? For both accounts? Only Microsoft does this type of verification. Any other company has actual ways to verify a user. You have probably gone through this at some point. “What was the color of your first car? What is your oldest sibling’s middle name?” And, of course, the most loved text message to the listed phone number so that you can prove that you are you. No, Microsoft doesn’t do this.

Then, just to add to the fun, Microsoft had another trick up its sleeve. I couldn’t sign out of the locked Outlook account to sign in to the Hotmail account. I had to clear my history before I could log in to my Hotmail account. Otherwise, it just stayed at the locked email address that I couldn’t log in to.

By this time, I had received an email from the Microsoft Account Team asking me to fill out the same form that I had filled out three times before with my partial information. Well, that wasn’t going anywhere. So, the next step was Microsoft Community at answers.microsoft.com. Someone there told me about a different form that I could fill out. When I filled it out, I told them my sob story, that I used that Outlook account to apply for jobs, and that I hadn’t violated Microsoft policies as had been stated. Finally, they unlocked my account.

It was right around this time that I found out what had actually happened to my Outlook account. I received an ID alert from Mastercard Identity Protection in my Hotmail email telling me that my Hotmail account address and password were found in underground communities. You know, the dark web. Mastercard told me that 3,238,907,689 email addresses and passwords had been exposed. Notice, that is over three billion email addresses and passwords. They said that it was not attributed to any particular source. I’m guessing that it was the Chinese hackers. Anyway, that would explain the violation of Microsoft policies that my Outlook account had. Someone did something with my account.

At this point, I began to make an effort to find out why Microsoft had not informed me or any of its users of the breach along with why it was possible for me to change my password and edit my user profile in a locked account. When I asked “How to Report an Outlook Security Vulnerability?”, I received an answer from an Independent Advisor “If you still have any questions, please reply with details to help you.” That was not exactly an answer. So, I didn’t reply.

Next, I asked “What might have been compromised in the breach?” and I posted an image of the Mastercard Alert. This time, I received a reply from a genuine Microsoft Agent who was the moderator. I had moved up in the world.

I have to explain that you almost always receive a reply from an Independent Advisor. These are knowledgeable people who volunteer to answer questions at Microsoft Community. A Microsoft Agent actually works for Microsoft. To receive an answer from an agent means that the advisor had no answer and that it is important enough for a Microsoft employee to step in. So, what was the answer that the agent gave me? “We understand that you encountered an issue regarding your account, and we’re glad that you now have access to it. Regarding your concern, our system notifies you if there were any changes on your account. An unusual activity would refer to an unauthorized access and has been detected by the system.” It does? It didn’t. That is why I was told that I had violated Microsoft policies.

The Microsoft Agent sent me a private message “To protect your account, we recommend that you do the following: Change your password. Create a strong password that hackers won’t have any idea about. Be on the lookout for emails that may contain phishing or malware. Do not open or respond to any suspicious email. Keep your security information updated. Your alternate email address and phone number is how you get updated regarding your account. Our system will send you a notification if your account is being accessed. Use two-step verification. This way, you can verify your access using your security information.”

Hum, that was informative. Now I know that if my email address and password are compromised, I should change my password. Darn, I didn’t know that. Well, actually I did. Of course, I did! And didn’t I already try two-step verification?

When I didn’t answer this message, I received another private message from the same Microsoft Agent telling me that I had not answered her reply. So, I just answered. “I did change my password but I am concerned for the other users who have not been notified that this has happened. Will they be notified?”

Her reply was “Yes, other Microsoft Account users are being notified in different ways. Our system sends a notification through email, text message or even upon signing in. If an account has been accessed using another device or outside their usual location, this is listed on the recent activity page of the Microsoft Account.”

So, I asked her “I never received a notification when my job search Outlook account was locked. I spent a week trying to have it unlocked before receiving a notice from Mastercard Identity Protection that Microsoft Outlook emails and passwords were compromised for over 3 billion users. Why didn’t I receive notification by any means whatsoever?” I have not received a reply. In fact, my private messages have disappeared as if they never existed. Luckily, I made screenshots of them and I saved the emails that told me that I had private messages. I’m certain that they disappeared because Microsoft had to clear out old messages even though there are old posts at Microsoft Community going a back several years. Could they possibly be covering something up?

So, the average user will not be informed of breaches involving their information. Nice. And Microsoft will do everything in its power to ensure that word does not get out about this breach including deleting private messages from Microsoft employees.

This is not the first major issue that I have had with Microsoft in the last year. I understand that they have competition but they owe their users honesty.

After a few days, my private messages have reappeared. There is an answer to my question about the fact that I never received notification when my account was locked. This stated the usual ways to recover my account along with the following answer “On your thread post, you mentioned that you encountered an error when you sign in, saying that your account detected an unusual activity. This error means that your account was signed in from a different location. If you have an active security information, you’ll be notified through them.” Yes, someone else did sign into my account.