Ask HN: 91-year-old's Hotmail account hacked, only automated support responses

36 points by frereubu ↗ HN
My elderly mother has been locked out of an old Hotmail account that I wasn't aware existed and I'm finding it impossible to figure out how to get access back, continually hitting automated brick walls without even some kind of live chat. I'm concerned it's going to be used for identity theft. Timeline (UK):

August 15th afternoon - She gets a message to her iCloud email address (presumably used as a backup for the Hotmail account) saying "Action required for two-step verification"

August 16th lunchtime - Another message saying "please use the following security code for the Microsoft account ab*c@hotmail.co.uk (where a, b and c are letters from her name).

August 16th a few minutes later - Message saying "The following security info was recently deleted from the Microsoft account ab*c@hotmail.co.uk" giving her iCloud email address.

She got in touch with me when she picked these messages up today - she's been drilled by me to get in touch when something suspicious like this comes up, and is generally pretty sharp at spotting dubious emails - but because she doesn't pick up her email address regularly it's seemingly too late for the usual recovery method of backup email address.

What's particularly concerning is that they seemingly managed to get access to the Hotmail account without access to the iCloud account - the first email was about 2FA being set up on the account, and the iCloud account hasn't had the password changed or any security settings updated despite that being the backup account.

I'm trying to get access back for her, but all I'm getting is an account recovery process that, if you don't get enough details right for the automated systems, just says "At this point, your best option is to submit a new form with as much accurate information as you can gather." This email account is clearly hers, as it had her iCloud account as a backup contact method, but she's not sure when or why she created it, so it's difficult to answer questions like "give us some email addresses that you emailed recently" or "give us some exact subject lines of recent emails."

Does anyone here have any experience of this where they've managed to get through to a human being at Microsoft who can actually help? I understand it's difficult because the email address is old and she's not sure what's in it, but the fact that someone seems to have targeted it is giving me the heebie-jeebies.

15 comments

[ 3.3 ms ] story [ 39.5 ms ] thread
It doesn't sound like it's worth persuing ("the email address is old and she's not sure what's in it"). You can try emailing the account in case the hacker is still looking at it, but my wild guess is that it was low-hanging fruit and the attacker abandoned it when they discovered nothing worthwhile for them.

(The email could say, when you discover there is nothing worthwhile in the account, can you please give it back to my grandmother be setting the password to 'PleaseLetHerHaveItBack'.)

It's a fair point and I've wondered that myself, but it's one of those things where I'd like to be absolutely sure. A friend has been the victim of identity theft and it's a whole world of pain when that happens.
My mom wasn’t hacked, but she lost her password and can’t get a human to talk to for the life of her
I wish AARP would offer email services to the elderly as part of their service offerings, with the ability to reach a human for support.
This is actually brilliant.
Just seems like an obvious fit. Include the hand holding with internal org resources and white label FastMail, getting a deal like Costco (AARP is like non profit Costco for seniors, in a way) would at that scale.

Appreciate the kind words!

why are these olderly people not writing their passwords in a notebook ?
Because we spent thirty years convincing people not to write their passwords down?
The fact that they make it impossible to get in touch with a human is actually a boon to security. Humans are the weakest link and most prone to social engineering. I’m not sure why you think getting in touch with a human would help resolve your situation. If you don’t have the right information to satisfy the automated system then why would a human be able to help you?
Quite the opposite. It is only the most vulnerable people that won't manage to resolve whatever issue they may have that an endless loop of FAQs (looking at you, Google) with no actual contacts (or very meticulously hidden away, if there's any) won't fix in any way. Bad actors are much more likely to have the networking and specific knowledge to get ahold of somebody internally to bribe, manipulate. Hell, even big companies bribe others' employees en masse, and there's plenty other examples. And automated systems' judgement is very poor (from a design standpoint, better blanket refuse than let in without utterly being certain), at least in my experience trying to recover somebody's Outlook account and inputting all emails and contacts, exact matches line per line.

https://news.ycombinator.com/item?id=32416424

https://mashable.com/article/instagram-verification-paid-bla...

So what you’re implying is that because security for most major companies is a joke, and because they all have crooked employees that help criminals gain authorized access, that it’s an uneven playing field between the so called “most vulnerable members of society” and the criminals, that account access methods should be even broader and made even easier for criminals by giving them a human vector to manipulate? That’s absolutely ridiculous. I think there should be NO HUMAN in the mix, when it comes to my password recovery and resets. I want ONLY code processing my request with no hope of human override. Because it’s so easy to gain authorized access to any account by using the old social engineering backdoor! Why on earth should we make it easier by increasing human vector in the equation? I’ve had hundreds of gmail accounts over the years and never had one hacked thanks to their impeccible way of helping in all but the most exceptional of cases.
I'm implying it's not possible not to have an human in the mix, not currently and I don't see it possible in the future. The manners in which it would be (or at least I think, with real 2FA, passkeys, et cetera) are not a common sight for most people yet. I would be fine with username+password+second factor, backup keys and that's it, if you lose them it's game over, but only as opt-in (I'd love it and toggle it for every service), or you'll quickly notice most people will lose their data eventually, so you may still need human interaction for the majority of the user base.

The not-so-interim solution, or really what should've been done since a long time ago, is to develop a common procedure that companies that provide certain services (network operators in particular, since the SMS 2FA industry addiction is not going away anytime soon) or generally have a sizeable amount of users must enforce, no asking for internal ticketry for somebody else or the likes. All of these instances should be stored, trackable internally for law enforcement purposes in case of fraud or stolen identity for a determined amount of time. Right now it's just a mess, some must legally ask for ID and yada yada but all SIM hijacks prove it's not strict enough. That's just how I see it, so I'd like to read how you would implement something that would work best and apply to everybody and OP's mother.

It's unclear how the decision was made during the commissioning of your organization's email product that Hotmail met the requirements for validation. Is it the case that the offering of quality support was not included in the Requirements Trace Specification?
I know you got downvoted for this, but I (the OP) got a chuckle out of it, so thanks for the laugh :)