My Outlook/Hotmail Account Has Been Hacked Twice

altomic on 16/09/2025 - 04:21
Last edited 16/09/2025 - 07:50 by 1 other user

hi,

my email (microsoft/hotmail/outlook) keeps getting hacked.

twice in the last 2 weeks.

they leave threatening draft emails in my inbox see here which lay out what they have done.

the first time they used my email to get into my aliexpress account and ordered a usb thumb drive to be sent to poland (a really bad price) - the weird thing was they filed disputes of items not received from all my recent orders. -8 orders- for which I got refunds for.

they changed my aliexpress password and log in details (email address as well) - so a bit of work to change all that back

then an hour ago i discovered my email had been hacked again (i got multiple phone notifications of of 2FA code requests)

and they posted a second threatening draft email

this time the hacker used my email address to attempt to get in to my ebay account - ebay security detected weird activity and shut it down
also attempted to access my netflix

i've added 2FA to my email address
and to ebay account
obviously changed the passwords.

is there anything else I should do?

i just ran malwarebytes and it found 3 threats on my PC - which have been quarantined.

it also showed data breaches of the sites where I had registered/logged in with my email address with - most recently Malindoair on 5 september 2025

question - was this just the result of brute force password attack? or too hard to tell?

p.s. sorry for the rambling post - it's 4:15 in the morning

Computing Email

Related Stores

outlook.com
outlook.com

Comments

Search through all the comments in this post.
  • barge-in hunter on 16/09/2025 - 04:29
    +16

    Sorry to hear that - it’s really unsettling when it happens. Here are some very basic things you should do (imo)

    1. Get a password manager
    2. Change all your passwords to unique, random characters (the password manager will automatically generate these)
    3. (While you’re in there changing passwords) Setup 2fa on every account that lets you
    4. Go into your Microsoft and Google account settings and remove all logged in devices

    You can go down the path of setting up Authenticator apps as well, but just start by cleaning up your leaked password situation first

    • Jimothy Wongingtons on 16/09/2025 - 06:53
      +12

      Should add do these on a device that is not already compromised

    • ATTS on 20/09/2025 - 16:38

      Is it possible for them to hack ur password manager and get all passwords from that?

      • freeb1e4me on 21/09/2025 - 23:44

        Anything is possible these days.

        The problem with security is that it just takes one weak point in the chain for it to fail.

        However, that doesn’t mean you should leave the front door open. You got to make it hard for them. It just buys you more time to detect unusual activity so that you can shut it down before any serious damage - you can’t really stop being hacked!

        Back on password managers - use it. Just not sure of using them to store bank passwords, myGov, etc.. I think a different approach is needed for that?

        .#security keys #stay away from Windows #business grade routers

    • ATTS on 20/09/2025 - 17:05
      +1

      Also curious op did you find out how u got compromised?

      • altomic on 21/09/2025 - 19:56
        +2

        No idea. 😢

        • ATTS on 22/09/2025 - 06:40

          Thanks

          I was worried i got compromised also but i scan with multiple stuff nothing picked up

  • Dundundunnnn on 16/09/2025 - 05:23
    +7

    What's your password, I'll login and take a look for you?

    • EightImmortals on 16/09/2025 - 07:04
      +3

      It's 'password' dummy, everyone knows that! :)

      • geek001 on 16/09/2025 - 09:54
        +2

        Too short. I have updated it for you for 2025: Password.420

        • EightImmortals on 16/09/2025 - 09:56

          Nice! :)

        • McMaferMur on 16/09/2025 - 10:38

          not password2025?

          • geek001 on 16/09/2025 - 10:45

            @McMaferMur: Lol. No uppercase character and no special character. Password.2025? Also, some companies enforce a monthly password rotation, so maybe Password.92025?

    • tabz on 16/09/2025 - 07:12
      +6

      hunter2

      • CodeXD on 16/09/2025 - 07:56
        +4

        I just see *******

  • Far Cough on 16/09/2025 - 07:11
    +3

    Was your ozbargain account hacked too?

    • altomic on 16/09/2025 - 08:40

      It wasnt

  • RobBoss on 16/09/2025 - 07:26
    +12

    As a last resort OP, add an alias to your email and make it main, disable or delete your old email. Microsoft has issues with changing emails but you can try on their website.

    The steps are:

    1. Go to My Microsoft Account
    2. Find "Your Info"
    3. Press "Edit account info"
    4. Add your alias email and make it primary. *You won't lose your old email, but it will no longer be the default, so proceed with caution. Microsoft has a lot of issues with changing your default email address back.

    In the future, make an alias as a burner email and use that for everything from shopping accounts to newletters. Never use your main email.

    • CheapandUsed on 16/09/2025 - 07:53
      +4

      Add your alias email and make it primary

      I did this years ago and it worked a treat.. so the alias is only used to log in to Microsoft accounts, never given out to anyone else.

      The compromised email account is used for everything else with bitwarden for strong passwords.

      • ATTS on 20/09/2025 - 16:42

        Hos do u learn smart tricks like that btw?

    • burningrage on 16/09/2025 - 13:40
      +1

      This is perhaps the best advice so far. I don't have problem ever since utilizing the Alias feature.

      • ATTS on 20/09/2025 - 16:44

        So is it like everything get sent to the alias email? Like the dot trick with gmail?

    • s0805 on 18/09/2025 - 13:39

      Sorry, can u pls explain how to do this. I have gone to "Edit account info" but under that I have "Add email", "Remove" and "Add Phone number"….nothing about Alias…

      • RobBoss on 18/09/2025 - 15:26

        add email is add alias :) hope this helps

        • s0805 on 18/09/2025 - 15:33

          Thanks for that. Just to understand this better, my original email is abc@hotmail.com and by creating Alias/new email that would be xyz@outlook.com. So going forward i give xyz@outlook.com as my email address? Also trying to understand the benefit of creating this Pseudo email name from security perspective. Sorry not understanding some of these tech details…thanks

          • RobBoss on 18/09/2025 - 15:46
            +1

            @s0805: xyz@outlook.com becomes a secondary email unless you press "make primary" (This is the last resort I was talking about). Essentially, you will have an account with 2 emails, a primary being abc@hotmail.com and a secondary (alias) being xyz@outlook.com. Think of xyz@outlook.com as a "shadow" email. Moving forward, it won’t matter which email people use to contact you. Messages sent to either address will reach the same account. You will NOT receive two separate emails.

            So the idea goes, if you use your secondary email for shopping accounts and stuff, it's an added layer of security because if your secondary email is ever leaked, you can easily delete it, and it would be like the email never existed, while you still have your main email. It's like people having a preferred name; their legal name is never revealed, and they can always change their preferred name.

            To make it better, press "sign-in preferences" once you have a secondary email and disable sign-in for that one. This way, your secondary is contactable and you can use it to send emails. But it will never work if you try to sign in to it and you can only use your main email address to sign in. Once again, if your secondary email is "hacked", as in leaked and because you disabled it as a sign-in option, hackers will never be able to sign in to that account unless they also know your main email.

            So, having an alias system is, in my opinion, way better than having 2FA only. Paired to 2FA and if you never revealed your main email, it is pretty much unhackable.

            Use main to for trusted contact, banking, government, and alias for newsletter and shopping.

            It's a lot but hope this helps :)

            • s0805 on 18/09/2025 - 15:49

              @RobBoss: Thank you so much for explaining it. Makes more sense now.

  • Paul Atreides on 16/09/2025 - 08:46

    im not a tech expert, but if this was me.

    1. get a new/clean computer and start changing/updating account info on that computer. as above, pw manager can help.
    2. physically disconnect your old computer from the internet. uninstall the wifi card, unplug the lan cable. recover what you can into a portable hdd, and delete all your account information from that computer. you can try reformatting it but at this point, all my trust in the old computer would be gone.
    3. take the portable hdd to an "expert" before plugging it into the new comp to make sure it's 100% clean.
  • DingoBilly on 16/09/2025 - 09:08
    +11

    One thing I'd add is its unlikely they have access to anything more than your email and password (and potentially spoofed mobile number).

    If they're leaving you messages and trying to threaten you - it means they don't have anything else and just trying to get you to send money over or click on malicious links. Of course, if you comply in any way they'll just keep the threat going so don't engage.

    If they actually had control of your computer or more than email, they'd be doing a lot more. Like why send you threatening emails when they could wait patiently for you to login to net banking and then transfer much more money out? They're trying to intimidate you into making a bad decision.

    Make sure to just update passwords and security settings where possible. It may be easiest to just detonate the email entirely and change all your stuff to a new email.

    Sounds like they may have access to your spoofed mobile phone number, so unless you can get a new mobile number they'll likely be able to keep resetting your accounts via the email/phone number combo. Hence why it may be easier to change the email entirely to prevent the 2fa being breached that way.

    See sim swapping for info on the mobile phone issue and how 2fa can be intercepted that way.

    • ATTS on 20/09/2025 - 16:49

      Just curious if they had trojan or powershell virus is that when they can steal your id?

      Also is getting id stolen rare?

  • jv on 16/09/2025 - 09:19

    change your password from cimotla

  • Dollar General on 16/09/2025 - 10:12
    +1

    I would ask the hacker what password you should use to stop being hacked

  • hasher22 on 16/09/2025 - 10:35

    I would

    1. Log out of all devices: should be in your outlook settings
    2. Change your password
    3. Set up 2FA authentication and/or set up 2FA with an app. For example Microsoft has an authenticator app, you login to your outlook and you have to enter a 6 number 2FA which can only be found in the authentication app and you have up to 30 seconds to enter it.

    I do #3 for PayPal. I kept getting notifications that X country and X IP kept trying to hack it. So I set up 2FA and I now require a 6 digit password from the authenticator app to get in. I know Microsoft and google has an authenticator app. So yeah. Try that.

  • McMaferMur on 16/09/2025 - 10:35

    i dont know how it can be hacked (again) after you change the password.
    unless you change yours from password12 to password123 :D

    • netjock on 16/09/2025 - 14:01

      Probably using the list of passwords from compromised lists.

      I've got my passwords setup so I can see based on the password which website the compromise came from. Means all site passwords are somewhat unique.

  • oooooooo ahhhhhhh on 16/09/2025 - 10:38

    Reset pc, change passwords and you're done.

  • thisusernameistaken on 16/09/2025 - 10:50
    +1

    i just ran malwarebytes and it found 3 threats on my PC - which have been quarantined.

    it also showed data breaches of the sites where I had registered/logged in with my email address with - most recently Malindoair on 5 september 2025

    Malwarebytes has that feature? I'd just use HaveIBeenPwned directly as that's what all those data breach notification services are pulling their data from. You can search by email address, or you can put your old password into the Pwned Passwords page and it will tell you if it's in a data breach and how many times it's been leaked.

    RobBoss's comment is what I'd do next if you haven't already. Basically say your email is altomic@outlook, you would create an alias email address like altomic-loves-chocolate@outlook… and then make that the email address you use when logging in. Emails will still come from altomic@outlook, except you no longer login with the altomic@outlook email address.

    Don't use SMS 2FA, disable that if it's enabled (this is to eliminate the sim swapping attack vector), but be sure to have the app based 2FA setup on at least two different devices. This is because if you lose the access to one device, you still have a backup device to get the 2FA codes. I'd probably have it on three devices to be sure… perhaps your partners phone, your phone and then a tablet or old phone etc. Also make sure you store your recovery code in a safe place too.

    I agree with DingoBilly's comment too. They probably don't have access to your computer… Just like the sextortion email scam where they claim they have access to your webcam and that'll leak videos of compromising content… it's highly likely they're bluffing. But you probably should put tape over your webcam anyway, since it's a good practice to do.

    • altomic on 16/09/2025 - 18:27

      Malware has that feature. Maybe for the paid version? I got a 14 day trial version.

      Yeah, they also sent the email saying that they had accessed my webcam….

      • thisusernameistaken on 17/09/2025 - 10:14
        +1

        But I get emails saying they've accessed my webcam and have compromising videos of me that they'll share it with my friends and family if I don't pay them bitcoin… it's all a lie.

        I'm 95% sure they're bluffing in your case

      • tenpercent on 18/09/2025 - 15:38
        +2

        Ask them if they liked what they saw

  • Danstar on 16/09/2025 - 12:46
    +2

    I get those emails all the time, saying they have video of me doing "bad things" lol

    Sometimes they even have my correct my password in the email, but they can't access my account without the SMS code required.

    Delete and move on.

    • netjock on 16/09/2025 - 14:04

      I got alerted to these emails using compromised passwords from a list. The passwords they use on me is real so I know when it was from and type of password.

      I use unique set for non financial and financial websites so you can tell by the combinations.

      Less sophistication more social engineering scams OP is subjected to. There is no keyloggers or remote access to OP's network.

      If they have video of bad things why don't think have a screen grab of 1 frame.

      • ATTS on 20/09/2025 - 16:53

        Howbis key log or remote access detected btw?

    • thisusernameistaken on 17/09/2025 - 10:16

      Sometimes they even have my correct my password in the email, but they can't access my account without the SMS code required.

      Even with 2FA, I'd still change that password ASAP

      • Danstar on 17/09/2025 - 10:58
        -1

        I did the first time I seen they had my correct password.

        They almost got me a couple of weeks ago to, pretending to be Telstra, I was setting up carplay in my car when I answered the call and wasn't really paying attention to what they were on about. They sent me a "SMS Code" to verify who I am, lucky I stopped and looked at my phone over just listening to the code come out through the car audio, because the message was from Microsoft to reset my password.

        • thisusernameistaken on 18/09/2025 - 10:14
          +1

          That's wild. If you had of chosen to listen to the message, they would have heard it and you'd lose access. Wow.

          Why not setup app based 2FA? It would prevent sim swapping attacks and the calls similar to the one you mentioned.

          • ATTS on 20/09/2025 - 16:55

            @thisusernameistaken: So is app baser like google or ms authenticator?

            Like for my optus account its not app based its sent to phone by sms instead? Is there a way to change that to app based

  • Koppers on 16/09/2025 - 13:41

    For your Hotmail/outlook make sure to login via the main website on a desktop and the outlook app. Mobile version won’t show. Some times hackers can add rules for the inbox/junk and will auto direct incoming emails while hiding them from the user, so you won’t see the password changes or compromised connected accounts.

    As well as checking any added apps to the outlook account. Some use 3rd party email hosting apps to redirect too such as Thunderbird. Remove all and back the apps you know.
    On the main desktop outlook site use the log out everywhere. Microsoft will take 24hrs to sign out everywhere though.

    You can also Google search to clear hidden rules as well in case there is any hidden from normal view.
    In your inbox on your search bar type in any account that may be connected to that email, as any emails incoming during the compromised time could be hidden/ in limbo as you will only see if you search manually until rules are changed.

    • ATTS on 20/09/2025 - 17:00

      Was the hidden rule the one listed in the

      Forwarding/ imap rule?

      And is it worth checking recent activities showing location and ip address?

  • Sunny84 on 16/09/2025 - 14:15
    +2
    1. Open outlook and ensure auto forward of all emails to another email address has not been setup. If its enabled, delete the forward address and disable it immediately.
    2. Change your password
    3. Enable MFA
    4. Change your MS account to password-less account
    5. Logout of all devices (apparently can take hours to sync across different devices/platforms
    6. If you had sync enabled and have auto saved password for external sites, make sure to reset all of those.

    Check step 1 again frequently as its likely this will be re-enabled.

    • ATTS on 20/09/2025 - 17:01

      Is it rare to get data compromised btw?

    • freeb1e4me on 22/09/2025 - 00:11
      +1

      I would improve on that by only allowing 2fa via security keys (use two, one for backup) for login and removing phone number, password, and authenticator

      • ATTS on 22/09/2025 - 06:38

        Is security key like biometrics?

    • ATTS on 22/09/2025 - 06:37

      Ive check Forwarding rules for outlook before, just wondering if you can check and change on gmail aswell?

  • Banks on 23/09/2025 - 11:02
    -2

    It is far too easy to get hacked these days even when you are doing ordinary internet browsing.

    Ideally, you start with a fresh SSD with a new OS installation and only bring over the files you need afterwards.

    Forget malwarebytes and other software because you are never going to be able to remove all the traces of the malware as most have polymorphic characteristics.

    You probably got 0dayed. It's so common these days, it's no joke.

    The problem I foresee is that you have a big presence on OzBargain, and even if you manage to block access to your email, internet banking and so on. They would still have access to your documents and what you are browsing and I don't know how they could use that but they could just video capture what you are doing which could be worse than them stating they have a picture of you from your webcam.

    Imagine if you are an accountant or a solicitor and they have all that information being streamed out to be captured. That's going to cause problems.

    This is also why it is so important never to use a password manager or auto-fill tool because that can all be accessed by the adversary because they have access to all of that even if you manage to stop them from accessing your email, banking, ebay, paypal account and so on because of an external 2FA requirement. However, note Passkeys are the worst since you now no longer have an external 2FA and are relying only on the credentials stored on the compromised computer. The adversary basically has access to an express lane to your funds.

Login or Join to leave a comment
Login Join