Ask HN: 91-year-old's Hotmail account hacked, only automated support responses
August 15th afternoon - She gets a message to her iCloud email address (presumably used as a backup for the Hotmail account) saying "Action required for two-step verification"
August 16th lunchtime - Another message saying "please use the following security code for the Microsoft account ab*c@hotmail.co.uk (where a, b and c are letters from her name).
August 16th a few minutes later - Message saying "The following security info was recently deleted from the Microsoft account ab*c@hotmail.co.uk" giving her iCloud email address.
She got in touch with me when she picked these messages up today - she's been drilled by me to get in touch when something suspicious like this comes up, and is generally pretty sharp at spotting dubious emails - but because she doesn't pick up her email address regularly it's seemingly too late for the usual recovery method of backup email address.
What's particularly concerning is that they seemingly managed to get access to the Hotmail account without access to the iCloud account - the first email was about 2FA being set up on the account, and the iCloud account hasn't had the password changed or any security settings updated despite that being the backup account.
I'm trying to get access back for her, but all I'm getting is an account recovery process that, if you don't get enough details right for the automated systems, just says "At this point, your best option is to submit a new form with as much accurate information as you can gather." This email account is clearly hers, as it had her iCloud account as a backup contact method, but she's not sure when or why she created it, so it's difficult to answer questions like "give us some email addresses that you emailed recently" or "give us some exact subject lines of recent emails."
Does anyone here have any experience of this where they've managed to get through to a human being at Microsoft who can actually help? I understand it's difficult because the email address is old and she's not sure what's in it, but the fact that someone seems to have targeted it is giving me the heebie-jeebies.
15 comments
[ 3.3 ms ] story [ 39.5 ms ] thread(The email could say, when you discover there is nothing worthwhile in the account, can you please give it back to my grandmother be setting the password to 'PleaseLetHerHaveItBack'.)
Appreciate the kind words!
https://news.ycombinator.com/item?id=32416424
https://mashable.com/article/instagram-verification-paid-bla...
The not-so-interim solution, or really what should've been done since a long time ago, is to develop a common procedure that companies that provide certain services (network operators in particular, since the SMS 2FA industry addiction is not going away anytime soon) or generally have a sizeable amount of users must enforce, no asking for internal ticketry for somebody else or the likes. All of these instances should be stored, trackable internally for law enforcement purposes in case of fraud or stolen identity for a determined amount of time. Right now it's just a mess, some must legally ask for ID and yada yada but all SIM hijacks prove it's not strict enough. That's just how I see it, so I'd like to read how you would implement something that would work best and apply to everybody and OP's mother.