For the record you should probably change your password. That way they can’t even try.
this post was submitted on 03 Aug 2024
16 points (94.4% liked)
Cybersecurity
5644 readers
184 users here now
c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
- Be respectful. Everyone should feel welcome here.
- No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
- No Ads / Spamming.
- No pornography.
Community Rules
- Idk, keep it semi-professional?
- Nothing illegal. We're all ethical here.
- Rules will be added/redefined as necessary.
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !cybersecurity@lemmy.capebreton.social !securitynews@infosec.pub !netsec@links.hackliberty.org !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub
Notable mention to !cybersecuritymemes@lemmy.world
founded 1 year ago
MODERATORS
Some Microsoft services don't ask for your password anymore, they just send you a code to your register email.
Yeah it turns out that's what nonsense this is.
Worse, I sure as crap never opted into this, but at least you can turn it off.
What a stupid decision some product manager made.
Passwordless is the best.
Not when that password is just an email...
❤️ Passkeys.
The thing that I have seen is while it looks like they are after MFA codes, those emails are a distraction from the actual account they are trying to take over, so be very careful when deleting the emails, there could be a legit email in there asking you to roll back an account change.
Dosen't Microsoft rate limit the attempts? In that case ypu can just select a random number, the trie to brute force it until the code send is the one selected.
It doesn't seem all that limited; I'll get 4-5 in a burst, then nothing for a couple of hours or a day or so, then 4-5 more, and so on.
Been ongoing for a couple of months now, and given it's a random 6 digit number, I don't think they're even remotely doing enough attempts to try to brute force it.
If Microsoft accepts, let's say, 3 attempts per code send, they already tried 1200 numbers (per your 400 emails), it's still short to the 10**6 random attempts on average (supposing that the codes are entirely random). If you email is part of a list of a thousand, they already had tried more that a million and got access to some of them.
I've been getting these for an account even I can't get back into.
Gonna have to get real granular with my inbox filters to send them into the void...