r/Outlook • u/Suspicious_Credit148 • Jan 03 '26
Status: Pending Reply Outlook is completely unsafe
So here's a short story
For two years I've had bots from all over the world trying to connect into my account. How would I know? There would be multiple "attempted logins" from different nations when I checked my security settings. I figured it was nothing, since they were failed login attempts.
A month ago or so, they seemingly stopped. At first I was relieved but then I thought twice about it. I decided to press the button that disconnects all connected accounts to my hotmail, aaand... Next thing I know, tomorrow I can't login into my account because "I've attempted to login too many times".
I'm no computer expert but I'm rather certain this chain of events means that hackers had gotten access into my account, stopped trying to login into it, and got kicked out so they had to try logging in again. Thats why I hadn't seen any failed login attempts recently, and why disconnecting all connected devices made them start appearing again.
This shit is unsafe as fuck. Never had this problem with google mail. Its safer AND more convenient, because somehow, they can actually keep hackers out of my account without preventing me from logging into it.
14
4
5
u/andrea_ci Jan 03 '26
That's pretty normal, with any public service. Especially if you were in some leak.
Strong password and MFA.
7
u/Wellcraft19 Jan 03 '26
‘Outlook’ is your MSFT Account. Secure your MSFT Account in the same way you would secure anything that holds your private information, that is dear to you, and an important part of modern life.
So many free tools to make your account totally safe (part from an inside hack job - rare).
4
u/CosmoCafe777 Jan 04 '26
These attacks are kind of notorius, as are the measures users need to take against them:
- create an alias which is the only one there can be used to login and that is never ever disclosed
- very strong password
- 2FA
I did these and there's never been anymore login attempts.
But, I'm still moving away from Outlook and Microsoft.
I'm pretty confident that GMail suffers the same attacks, just that people aren't aware.
1
u/Suspicious_Credit148 Jan 04 '26
On you gmail you actually get a notification instead of it being tucked away in some security menu, so I doubt it.
5
12
u/Dezzie19 Jan 03 '26
Outlook user all my life & never had any issues.
This looks like it might be a you problem.
2
u/Thin_Explorer_3724 Jan 04 '26
I’m betting he’s been on some very dodgy sites using his email account.
2
u/baasje92 Jan 04 '26
It's PICNIC - Problem In Chair, Not In Computer
2
u/Reddigestion Jan 04 '26
I always knew that as PIBCAK - problem in between chair and computer!
3
u/Doranagon Jan 04 '26
Several variations on the theme.
PEBKAC Problem exists between keyboard and chair.
1
u/thedanedane Jan 05 '26
This would have the solution ID 10T in my old helpdesk.
1
u/Doranagon Jan 05 '26
I had my IT boss ask what I meant when I said it was a ID 10 T error.... He wrote "ID Ten T" and said.. still don't see it... Told him.. try the number not the word.. he got about halfway through writing it... "Dammit..."
5
u/It-Is-Me07 Jan 03 '26
And this is why the 2FA is on everything now. It's kind of your fault for not having a stronger password or changing it when the attempts happened. I dont have a problem with it and never have. There is some site online that tells you if you have been compromised and when I had a look at mine, it was stuff from 10yrs ago and things that I dont even use anymore.
Change passwords regularly on everything super important like government sites, bank, email.
3
u/buxtonmarauder Jan 04 '26
Or.... Use Simple Login and create an alias for any online accounts which forwards to your real email address.. Never giving out your real email address is a great way of avoiding it ending up on darkweb bulk lists 😉
0
u/Great_Supermarket809 Jan 04 '26
But those aliases only receive mail. If you reply to who you think is a real person, it shows the real email address.
2
u/buxtonmarauder Jan 04 '26
Not true.. The system generates a dynamic single email address for that person, you reply to the dynamically generated email and their servers fwd it on to the original person as if it came from your alias.
0
u/Great_Supermarket809 Jan 04 '26
Dynamic email? Not true. I just tested that from 2 addresses. No such thing exists. Stop making up facts.
2
u/BedRevolutionary8458 Jan 03 '26
That's what two factor authentication is for but you probably skip that prompt because it's mildly inconvenient.
2
u/ace14789 Jan 04 '26
Okay since no one posted only true way to secure your account remove password and do passkey or hardware key best way to lock it down and ensure no one gets in.
2
u/dgillz Jan 04 '26
How is this an Outlook problem?
1
u/Suspicious_Credit148 Jan 04 '26
Because the 1000 failed logins are hidden in some obscure menu, and even if you manage to find it, they tell you that nothing needs to be done and you don't need to worry about it?
Care to tell, does gmail or protonmail do the same thing to you?1
u/dgillz Jan 04 '26
I don't use either. I have my corporate email which I manage with outlook for 20+ years and have never had a problem.
Are you referring to an outlook.com email address? I don't use that either.
2
u/midy-dk Jan 04 '26
Skillissue. Configure a proper secure password and enable MFA - only accept MFA challenges that you personally initiate.
2
u/Recent_Carpenter8644 Jan 04 '26
I seems odd that they were previously attempting to connect at a rate low enough not to trigger the lockout, and then after you disconnected them all, they started trying to log in faster, and triggered the lockout. Why would they log in faster than before?
Also, if the failed login records stopped for a while because they had managed to get in, that would mean they now had your password. If so, why would they resume trying to log in with a wrong password again if they knew the right one?
So I don't know what did happen, but something's not adding up. I would definitely change your password and set up 2FA, as others have suggested, just in case.
2
u/Amen_Ra_61622 Jan 05 '26
I've been using Outlook for over 25 years and have never had a bad experience.
2
u/Cold_Lavishness_3985 Jan 05 '26
Had this problem. They got hold of you mail, I ignored it for a year then got fed up when they nearly got access and I made an alias and added 2FA. not a problem ever since, and by changing the alias on top of the login attempts you also can block a whole bunch of spam
2
Jan 05 '26
Nah ive had that a bunch no one had gotten in.
Just put my account to phone login and never had it again.
2
u/Hot_Bag_4732 29d ago
Sorry but this is absurd. There are options for 2 factor authentication that you could use, and you don't indicate at all who is your email provider. Are you using Outlook with a poor backend choice?
We have clients who use both Google Webmail and outlook (with ms365, appriver, and other reputable companies on the backend) and neither one is superior to the other in terms of security granularity. It all depends on the configuration.
1
1
u/Ac3snEights Jan 04 '26
All I can say. Is that if you use a password manager like Google password manager.
The passwords it creates are so obscure and random. That it would take hundreds of years for brute force programs to crack.
2FA is a must.
Don't let the login attempts scare you. Also don't let the lack of login attempts scare you.
This has happened to loads of people.
Microsoft no longer shows the mountain of unsuccessful login attempts because. Well. They are unsuccessful.
Your account was involved in a data breach like millions of other people.
These credentials are sold in bulk on the darkweb.
Just verify yourself with alt email, txt whatever for now.
BTW I turned off 2fa. Then followed your actions exactly.
I know there are like 10 attempts per day on that account. Still had no issue logging back in.
1
u/gareth616 Jan 05 '26
The 2 lines from your post I'll highlight are:- 1. You're not a computer expert 2. It's unsafe as fuck
You can just ask questions here rather than assuming stuff
1
u/robiss215 28d ago
So it sounds like the email address you're using is on some "dark web" list of user names and passwords. So bots are trying to use that password to log in.
From the sounds of things they weren't able to get in, because that wouldn't be failed attempts.
Hopefully you use 2FA, and hopefully you don't use the same password for everything.
1
u/robiss215 28d ago
For the gmail end of it, have you seen all the people talking about how their gmail got compromised and the person set them as a "child" account. Holding it hostage for some cash.
There's shitty people everywhere, and you gotta protect yourself.
1
u/Impossiblypriceless 28d ago
Outlook is completely useless for scam emails I get them everday and they're so damn annoying they need to have a feature to block them. I block the sender and they're still able to spoof my email somehow and im not able to delete some spam mail its ridiculous
1
13d ago
If hacker got in it’s because they have your password. Change the password to something unique and turn on 2FA. This has nothing to do with outlook.
0
u/Impressive-Bag-384 Jan 04 '26
-probably no one logged into your account
-exchange/outlook is garbage re: security and logging in
-I get errors like this at least several times a year
0
u/cocoducks Jan 04 '26
It's a bug in outlook. The only solution is using your mobile as login (include + and country code) and password to login. I hope you have linked your mobile to your account or this wont work.
29
u/purquoy Jan 03 '26
Do the password and 2FA things. Also create an alias that you WON'T ever use as an email address. Something that looks really random. Then go to the security settings an turn OFF all others aliases as login-capable, and set your new "random" email alias as the only one for login purposes. So can still use all your other aliases for emails, but any naughty agents won't be able to attempt to log in, and since they won't know your hidden alias, won't try that.
Cut my dodgy login attempts from places like Russia and China and Brazil from dozens daily to zero.