Someone is trying to reset my email password
Someone is trying to reset my email password for live.com. I keep getting 7 digit 2FA code in my other email (4 times in last 10 days). Is there anything I can do to protect my account? Thanks
It's possible that someone obtained a password dump and are trying to see if it works on your email account.
Check yourself on Have I Been Pwned, and if you see your information have been breached, reset all your passwords.
Same with me, I have an old @hotmail.com email address. I changed my password to a random generated one, and I have 2FA. Other than this, I don’t know what else I could do. But I think my account is safe as long as there are no vulnerabilities on the site, which it is highly unlikely there are.
One possible explanation is that someone thinks it's their email address, they've forgotten the password and are annoyed that they're not getting the 2FA code on their phone..
There was a thread about HNers having a common name and firstname.lastname email addresses and getting random emails not for them..
Usually companies send the 2FA token once the password has been entered. So someone has your password and you're only saved by 2FA.
So you can start by changing your password maybe?
I’ve had some password reset mechanisms send me codes without the attacker needing to know much. I believe this has happened with facebook before; my password there is unique and random, and even after changing my password to another random one, I still got a couple of occasional 2FA codes. Not sure if they’ve changed anything there to combat this, but just my 2¢.
I’m being driven crazy by this sort of thing. Password resets for my Facebook account etc. But the worst ones I get are someone signing up for a service using my email address where the service doesn’t verify the email address. The cherry on top is when this is done in language that I don’t understand.
I was getting Netflix account information and Uber trip receipt emails in Spanish for a while with no option to say “this is not me”.
There's not much that you would want to do in this situation. The system is working as designed.
You should change your password to something you don't use elsewhere just to be sure they aren't attempting to log in with your actual password.
4 emails in 10 days is not excessive.
If the e-mails bother you and your account is secure, then you can just filter them into a folder and then go looking for them when you actually need to reset your password.
Maybe get in touch with the support? Perhaps they can add some protection to the account.
Its upsetting email providers still dont provide soft ip lock, at least for settings, that if you dont access from ip you really need to go more complex recovery options, considering infrastructure cost they could even charge for it.