Hotel aggregators: small heads-up

Fully aware that most people here advise to book direct with hotels, as that avoids a lot of potential trouble, and may (or may not be) cheaper. At my own risk, I'll still occasionally book with an aggregator when the discount is steep enough and the risk seems low. For actually finding and quickly comparing properties though, they're hard to beat.

I've used Booking.com for a while, but because their search is nonsensical (when asking for 2 travelers, 2 rooms, they aggressively populate the search results with 1-room options, especially if there are not many options matching the 2-room filter). I then tried Hotels.com. Never used them before, but at least their search is quite reasonable compared to the other one.

The heads-up: Just to see if I could get a small discount if I do reserve through them, I made an account. Curiously enough, the hotel I'm stuck with gives a worse deal for a higher price, so the aggregator may make sense here. Unfortunately, the price actually went UP when I logged in, by over 5%. If I searched from their app/website from an active account in the first place, I may have never noticed, hence I think this is worth pointing out.

The sheer stupidity of the situation is fairly new. I'm well aware that aggregators often use dubious practices like inflating their prices when you visit them from a cashback service, such that you gain nothing (and actually pay them more at the time) when trying to save. However, charging those who are logged in more, without informing them in any way, seems like a new low even for these pathetic companies.

I'll still see if I can get the price from before when I logged in. If not, I'll probably take the worse deal just to avoid supporting this business model.

reddit.com
u/anvoice — 6 hours ago

If you use a long password (and Microsoft reports you used an "incorrect" password for login

Super long (but important). For the tl;dr, skip down to "Conclusion". and "Solution". This is close to the end of a 3-week long story for me. To read the entire thing, refer to the original thread I made describing a problem with Microsoft account log-in:

https://www.reddit.com/r/Outlook/s/2ErZ47nPhQ

Summary:

I once deleted my passkey on my phone to stop a wave of bot sign-in requests (the better option was to use an alias, though I did not know that at the time). At some point I accidentally logged out of Outlook on my phone. Trying to log back in, my account was locked due to "too many password attempts". Apparently bots were still trying to brute force the account (thanks to Microsoft or its partners for leaking my email, as well as at least an old version of a plaintext password). Recalling that I once bypassed a similar message I tried changing my account password (using a linked email and the 2FA app). I used a 128-character password, which is the length I've used before successfully many years ago when I changed from a simpler, short password (btw. never use those). This is no problem since it was stored in my password manager (I recommend everyone use these).n Microsoft reported a successful change for the (new) 128-character password. However, when copy-pasting the same exact password into the app to log in, it claimed "wrong password". This prompted a long, pointless search for a way to get back into my account. Information was scant. Along the way, I made the post mentioned above, potentially discovering a method for other users to get back into their own accounts. That method involved a "cooldown period" (seemingly confirmed by multiple Microsoft reps in chats with users, but not disclosed officially to the public) for a lockout triggered by trying the password too many times, and involved waiting a certain amount of time before either trying to log in again or changing the password and trying to log in again. The longest "cooldown" time, supposedly 7 days, did not work for me. As I already filled out the password recovery form with 100% accurate information before, with no notification at all (acceptance or rejection), I ran out of options. I created a question on Microsoft Learn, since their chat support was down. I've not heard anything from anyone there.

Today, on a whim, I tried using a password quite a bit shorter than 128 characters. Again, successful change through my linked account and 2FA. And now, the password worked to log in.

Conclusion:

The Microsoft "change password" field accepts a 128-character password with no problems, notifying you of a successful password change. Your email will also get a "password change" confirmation, confirming that it was changed successfully. However, that password will not work to log in, and Microsoft will report an "incorrect password", even if you use the exact same one via copy-paste.

Solution:

Use a shorter password if changing it. I don't know the exact limit, and I'm too tired of this to test it right now. Maybe someone else will test it, or maybe by some miracle Microsoft will actually stop ignoring users who can't sign in and try to fix/explain this. I do have a quick theory, so if someone is interested to use it as a starting point, I'd be interested to see where this goes.

Theory:

Once upon a time, Microsoft accounts had a 16-character limit. However, instead of simply rejecting 16-character passwords when you tried to make them, at least some of Microsoft's forms allowed you to enter a longer password. Then they truncated it to 16 characters, and used a hash of those 16 characters stored on their servers. The reason is technical, but basically storing a password as a hash in their database is a way to avoid letting hackers who gain access to that database to log into your account. While they might know the username and hash, they hash itself doesn't serve as a password, and provides no way to recover the password from its fixed-length form. Meanwhile your own password, of which Microsoft would take the first 16 characters (and take their hash to compare with their database hash), would work properly, so no problem. Also, as a consequence of this method, and purely theoretically, a completely different character string could produce the same exact hash and therefore allow someone who used it to log in. However, the hashing algorithm gives no meaningful way to "go backward", or produce any character string that would lead back to the hash. The chances of someone randomly entering a different character string that lead to your hash (stored in Microsoft's database) is statistically 0, meaning your account was quite safe.

However, at some point Microsoft started not only allowing you to enter a longer password, but it started actually using the entire password's hash, effectively meaning you could no longer type just the first 16 characters right and then some random combination of characters and log in. Some online sources say this limit is right now 256 characters. I believe, however, that whatever form Microsoft uses at character creation time might accept a 128 character password, but might (for some random reason I don't know) use only the first 127 to create the hash. Then, when the log-in form takes your (128-character) password, it compares the hash of the whole thing to the database entry (a hash of the first 127 characters of your password). The chances of making only a small change to a character string and getting the same hash is astronomically low for any good hashing algorithm, so it's quite certain they will not match. Thus you will never be able to log in, no matter how often you change the password, unless you use less characters.

The reason I believe it might be 127 (and not the 16 that was used before) characters has 2 components. First, I stumbled on a single old post (https://www.reddit.com/r/assholedesign/s/xwUUzjELM9) of a user claiming that in some contexts , due to bad programming by Microsoft, only the first 127 characters of the password were registered at creation time, allowing you to enter a 128-character password, but making a hash of 127. Since the log-in form would then hash the whole 128, you could never log in. Second, if the number of character used fort the hash was still of 16 characters at password creation time, but the full entered password at log-in time, anyone with a password >16 characters (hopefully most of the world at this point) would be unable to log in after creating said password. This would most likely have been noticed by now.

Since Microsoft has a proven track record for ignoring and never fixing their mistakes, this blatant coding error may continue to affect users of long passwords for a while. Hopefully, anyone with this problem in the future will be able to find this post and the fix.

Since the prevalent online information claims that the max character limit is 256, I had no reason to assume 128 (my password manager's max) might be too long. So it was pure luck by which I logged back in. This is assuming my guess is right of course, but at this point the assumption that Microsoft is incompetent enough to do this seems very reasonable.

Final Thoughts

No amount of security precautions and following best practices for password/passkeys could save me from this massive sabotage by Microsoft. Furthermore, there was zero help from Microsoft for solving this ridiculous mistake they created. The mistakes were manifold and profound, and failures pathetic and compounded at every step. Leaking databases, storing passwords in plaintext at least at some point (because I once got a fishing email that used my outdated, but genuine password to "prove" they hacked me), allowing bots to invoke your passkey through an Outlook prompt even when the bot has used an incorrect password, and providing confusing and sometimes plain deceptive error messages that misled users looking for solutions. Finally, not helping a multitude of users having log-in problems due to Microsoft's terrible code, ignoring their struggles as long as they could manage and only eventually acknowledging and (maybe) fixing the issue for a limited subset of users.

I think Microsoft is a garbage company. Nothing will change my mind. Despite astronomical wealth, their "engineers" created, then failed to notice, acknowledge, or fix a problem that some random users with a little extra time essentially resolved on their own. Then those users acted as "free" tech support for Microsoft, because Microsoft cares less about its user base than a complete stranger on the internet. Microsoft is happy to take your money, but feels it's ridiculous to actually provide you a reasonable service in return. Unless you have direct leverage over the revenue stream of course. In general large corporations often cater to shareholder interests first, but most are smart enough to understand that treating your users like trash will eventually impact the profit margin. This is their "foundational work required to win back fans and strengthen engagement" and focus on "fundamentals, prioritizing quality and serving our core users better." (quoted text verbatim by Microsoft CEO). I am migrating as much functionality and services from Microsoft as I can manage, and this is my advice to anyone I meet at this point. Sure, other mail servives could have concerns of their own, and [Insert some other OS name here] is not perfect. But if I can help it, I will not support and rely on a company whose primary virtues are incompetence and disdain for its users.

reddit.com
u/anvoice — 2 months ago

Kickstarter scam campaign(s?)

Was visiting kickstarter after a long absense since some interesting projects flew across my radar. Scrolled other tech projects out of curiousity, and randomly ran across what I believe is a sophisticated AI scam project. The project is "Brainlume", a "wellness device" based on hype around low-power infrared light stimulation. The science behind such devices is not proven or disproven, so the AI/scammer made a good choice if the goal is to defraud gullible people with "serious scientific data". I'm guessing the prompt for the LLM was something like "create an authentic-seeming Kickatarter project using open online literature and either real or generic but convincing research figures with profiles available online to look as credible as possible." The videos and "Team" were likely generated in the same manner. A backer who asked a technical question is answered with an AI response not giving any of the details they requested. I was simply skeptical at first, but internal alarms were ringing and I studied the campaign with more detail. Sure enough, the project page claims the device uses a 810nm wavelength, while 1064nm is mentioned later as having been found safe for humans. Sure enough, the linked Brainlume website states the device uses 1064nm. A mistake a seasoned team of scientists (claimed as team members and collaborators for the project) will not make. But exactly the kind of slip that still allows us to clearly distinguish AI content from genuine work. I couldn't find images of any of the so-called "team members" online, except one University of Pennsylvania visiting associate professor that seems to be based on an actual person rather than a generated image. That real researcher has nothing in their LinkedIn profile regarding being associated with Brainlume. Brainlume itself is only found online in relation to the Kickstarter campaign and related sites, plus their own website and some "Brainlume" or "BrainlumeTech" promotional videos on youtube.

The project currently has been fully funded and went far past its goals. It was also further promoted as a "Project We Love" by Kickstarter, which could have given it additional credibility.

If I'm wrong, I'm perfectly willing to admit it once the truth materializes. However, I'm willing to bet quite a bit that I'm not, which means any of those backers that are not actual bots will either be defrauded of their money or at best be sent some cheap generic pseudoscientific piece of junk by dropshipping, for a hefty investment (the pledge amounts for the lowest-tier rewards are in the hundreds).

I'm reporting this to Kickstarter and would like to see what they do. Assuming they step up to check everything and either tell me I was completely off-target or take the scam campaign down, perfect. I believe anything short of these two options is irresponsible and unacceptable.

And seriously (assuming I'm right of course) how am I supposed to trust other campaigns? Do I need to spend an evening doing research looking for small mismatches and disconnects that reveal a larger fallacy? Or do I need to employ my own "counter-AI-scam" AI agent if I'm to avoid getting ripped off? And what will the platform do to protect less technical users who can't always make the correct judgment on their own? It's possible I will still support the few project I'm interested in that I know beyond doubt are genuine. Beyond that, it seriously depends on how Kickstarter handles this.

reddit.com
u/anvoice — 2 months ago

Ran into a possible malware distribution attempt on a subforum. User links a github with an AI-coded project with outlandish performance claims. The developer's profile has a host of hacking-related repos. Either I'm completely wrong, at least about the vibe-coded software he linked, or they're not smart enough to hide their hacking tools, which is in part what allowed me to detect (assuming I'm right) the threat in the first place.

I'm a beginner at this point, and at the moment only have a Ubuntu laptop to perform tests. Free online tools find no threats in the zip of the repo I downloaded. Learning everything from scratch means letting the (possible) hacker run free in the meantime. Are there reasonable options I have to test the repo?

I do hope I'm not in violation of the second posting rule, but can't seem to find any guidance anywhere else.

reddit.com
u/anvoice — 2 months ago

Ran across a post in a subforum related to my interests that appears to have a high likelihood of being a malware distribution attempt. No irrefutable proof, but analyzing the user's post and comment history for a fair amount of time, along with the github and another link they provided, the possibility seems too high to ignore.

Sadly I have 0 cybersecurity experience: only common sense, an ability to learn quickly, and a wish to prevent a potential malicious actor from succeeding. I can code of course, but not a pro at this point by any measure.

Normally I'd be skeptical of a casual user detecting a hacker so easily, but I think I can explain this one: they're a vibe coder. This is pretty clear from their previous posts, and the app they peddle was developed at ridiculous speed, with a github commit density going from near 0 to insane levels over about a month (about where their comments indicated they explored AI coding). The github account they use, in addition to the app mentioned above, includes a host of repositories with code for pentesting, finding exploits and vulnerabilities, connecting to CVE databases, mapping networks, AI-powered name extraction, and enabling AI agents to run autonomous pentesting. Some of the code appears to be theirs, though likely AI coded as the descriptions are all distinctly AI-styled, and some is forked from existing pentesting/hacking utilities. The function of the repositories is in the description, which saved me the trouble of even needing to look it up. Unless I don't understand how github works (yes, I'm still learning), this could indicate they're not particularly smart (who would reveal their hacking repositories along with the payload app?). Again, either I'm too ignorant, or they might rely on AI more than on actual skill.

I could submit everything I learned to the mods, and was going to. However, when I tried checking online how a potentially malicious github repo could be assessed, I got little useful info. Some say it's hard and to "use trusted sources". Some recommend online scanners, which didn't seem to work in my case. I thought of trying to sandbox it myself (I know I'm asking for it if I mess up the settings or run into sophisticated malware, but I'd rather risk it than ignore this), but there's no single, up-to-date tutorial accepted as best practice from what I found. It doesn't help that I'm traveling and only have access to my Ubuntu 24.04 laptop. Could someone point me to a reasonable tutorial I could follow to set up a testing environment? Or an alternative way for a rookie to do this without self-destructing? If I report without ironclad evidence and the mods have no easy way to check the repo themselves, I'm not sure how to follow up.

reddit.com
u/anvoice — 2 months ago
▲ 27 r/Outlook

I may have the answer that could work, at least it's worth trying as some people are reporting success. I've been acting as free tech support for Microsoft's mess (which as far as I know they didn't acknowledge yet, nor provided any help to anyone) for quite a while, and from now will link everyone to this topic. Please read fully and carefully for the best way (that I'm aware of) on how to proceed.

Edit: if you find this helpful, please share a link to this post with others you see having the same problem. I hope I am not breaking any rules by asking this, but I am not advertising or karma-farming. Even copy-pasting the link everywhere is taking up a bunch of time, I need sleep, and the posts asking for help keep multiplying. Let's help each other!

Update: there is currently at least one independent confirmation of a user being told by actual Microsoft support the cooldown timer exists, and that the wait times are indeed 48 hours OR a week (for some users who have 2FA enabled). While I can't be 100% certain whether the rest of my theory is true, I am now confident enough to say that the recommended solution is currently unchanged. If you have 2FA (and therefore it being possible that you need to wait a week) and don't need immediate access, you could try waiting for 1 week to avoid having to wait 48 hours and then another week if the shorter wait fails. There has also surfaced a possibility that the cooldown timer may be IP/location-dependent. That is, one range of IP addresses, or a single IP addresses, might have the lock, while others don't. Absent an official solution from Microsoft, if you can't wait and are willing to risk possibly resetting the timer, you could try to attempt using something like a VPN (if you have the option and technical skill) to change your IP and potentially bypass the cooldown. This is only a theory of a single uservfor now, so be sure to makenyour own, informed choics. Good luck to all.

What?

Users who were logged out of their Microsoft account are reporting not being able to log in. The error message states that too many attempts were made with an incorrect password, although the user has sometimes not made any login attempt at all for a while. Resetting the password may work (e.g. via 2FA and a linked account, you need both to do those as far as I know) but the new password does not work. The error message says the password is wrong (important: this error is most likely incorrect and half of what caused this mess).

Why?

Almost certainly, if you are experiencing this problem, your email username has been leaked to hackers. I don't know when exactly this happened, whose fault it is, and whether it was one event with everyone's information or multiple data leaks over time. Most likely your password (at least your current password) has not leaked, or your account would have been taken over already, at least if you don't use multifactor authentication (and perhaps even then if Microsoft is incompetent enough, see the last part for why). Unable to get direct access, some hacker, or many hackers, have set up an automated system whereby bots keep trying to brute-force your account password. Hopefully, It keeps getting it wrong, and eventually triggers Microsoft's safety mechanism, which disables logins, at least via password, for some (not precisely known) amount of time.

Result

Hopefully the hackers didn't log in, but now you can no longer sign in either, at least via password. Trying many times and even resetting the password, if you managed to do it, does not help. If you did change the password, the error message now (most likely incorrectly) states that the (new) password is incorrect, even if you copy paste it from where you just changed it. It is extremely likely that the real reason for the error is still the lockout timer not having run out. In fact, by trying to log in again and failing, you could well be resetting that timer, although of that I'm not certain since I didn't code this debacle for Mucrosoft.

Solution

I found this (disclaimer: potential) solution essentially randomly after hours of searching and days of trying to sign in. Wait at least 48 hours from your last login attempt or password change. If you keep trying to sign in, you will keep resetting the cooldown timer for the lockout. The next step is a bit less certain: you can either try again with the (correct) password, OR reset the password again and then attempt to log in with that new password. If you use your browser for this, it may be helpful to delete cookies/clear the cache before you attempt this, and/or use Incognito mode. If that step fails, you should try again but this time wait an additional **1 week (**I know this is completely ridiculous, but this is the only other number I found) and try the login or password reset and login again. If this works, great, but do read to the end. If it doesn't work, I tried my best and the only other option I can suggest is Microsoft's account recovery link (https://account.live.com/acsr). It's recommended that you complete this form on a device you previously used to sign in, and better yet from a location where you used the device for that purpose. Also, if you have 2FA enabled and can't access any of the methods foe it to get a confirmation, Microsoft says it won't work at all. Assuming that is not the case, the process for completing the form is explained well enough once you follow the link, but as far as I know it's automated (a bot might decide whether to give you your account back), takes a while (likely 30 days, I tried it a week ago and have heard nothing back so far, not even a confirmation), and is not guaranteed to work. You can try filling out the form 2 times a day, as far as I know indefinitely. This does come with some temporary restrictions out on your account for 30 days, but beats losing access forever. If even that fails, I'm out of ideas unless Miceosoft condescends to help the users it got into this mess.

Admission

I do not know whether the bot's repeated attempts to hack you will keep resetting the lockout timer. If so, I don't know what to do, because the bot is almost certain to keep trying. Hopefully there's some component of the security system that keeps track of IP addresses that try to log in and might not keep you unable to sign in indefinitely. At the very least, I've heard success reports by now.

Next Steps

This is important. The bot is still trying to log into your account, and at least in some cases it triggers the lockout. Next time you try to sign in, you might face the same problem, unless Microsoft does anything to fix it. Thus, it is highly recommended that you change your primary alias for the Microsoft account to some other username (not your current email address). The official instructions from Microsoft are quite clear, but this is very important: DO NOT delete your former email address former alias (the email address) from the Microsoft account, or you will irreversibly lose access to that email. This way, the bots will no longer know where to knock and will leave you alone. Keep the new alias secret, or the problem could recurring. You will still get emails and be able to access them, but your new alias will become what you type in to log into your Microsoft account (in a browser or in Outlook).

Optional Steps

A passkey is a way to log into your account very securely. It' much harder to hack (essentially impossible with current technology unless the device you use to store it is compromised) than even a strong password. You create a passkey on your phone (instructions about on the internet so I won't lengthen this already bloated post) and use it to sign in, which should bypass a password lockout timer, at least unless Microsoft changes anything. You can also disable password signin to your Microsoft account, which will mean that nobody will be able to ever guess your password. Be aware that if you do this your passkey becomes your only way to log into the account. If linked to your phone, the loss of access to your phone (malfunction, theft, or loss) means you will lose the ability to log in. If going that route, I suggest setting the passkey up on at least several devices for redundancy. Of course, if a malicious actor gains access to any of those devices, they could access your account, and having several increases that risk. This is where you have to decide between safety and convenience (i.e. being able to log in if access to a single device is lost). If you do decide to retain password signin, make the password as long and random as you can, preferably using a password manager. If coded properly (e.g. your information encrypted in storage and transit whenever possible), a password manager is much more resilient against hackers than weak (short, easily-guessed, or partially/fully reused) passwords. You could luck for a trusted password manager, or self-host something open-source and audited for maximum security (if you go that route, you're likely an advanced user and I won't bore you with the detas).

Thoughts

If you are not tech-savvy, I strongly suggest getting someone to help you with some or all of these steps.

The rest is a purely optional read. I don't know if it's was Microsoft itself that leaked everyone's email, or a third party Microsoft shared their database with. I am quite certain that at least some outdated (I don't know about current) passwords also leaked, which means someone stored them in plaintext. I know this because I got a phishing email years ago coming from "my" (spoofed) email stating an actual password from that account for credibility. Fortunately it was outdated; otherwise the hacker would have just logged in and shut me out because I didn't have 2FA at that time. At some point (before this April) I started getting MFA requests in Outlook from different countries (the bot attempts) at least a few times a day. I kept clicking deny, but I was getting tired of it and worried the MFA exhaustion attack would succeed if I misclicked something. I had 2FA enabled at this point and used a long, random password. I do not know why I was prompted to "accept" the attempt when the password was incorrect, and this is yet another massive failure on Microsoft's part. I also don't know what would happen if I accidentally clicked the correct number out of the 3 presented and then the "accept" button. Granted, the chances were low, but would Microsoft then grant the bot access to my account, despite it having used an incorre password? If so, I have no words for how messed up that would be. If not, then why did they bother me with the Outlook prompt? I deleted my passkey from my phone specifically to stop the Outlook requests (I should have changed the alias, but I didn't know about it at the tims). When I accidentally logged out, I was greeted by the "too many incorrect password attempts" message, so the bot was still trying. I no longer had the passkey (thanks to Microsoft essentially enabling the MFA exhaustion attack), so I couldn't sign in that way. Despite having the 2FA app (on multiple devices for security) and my linked email, Microsoft's (almost certainly incorrect) error message claiming the new password was incorrect after the reset further confused me further, prompting me to proceed to keep changing the password until Microsoft stopped sending codes to my linked email (fortunately only for that day). How much of my (and everyone else's) time was wasted because of that? I still don't know if I'll get back in, and I have information and linked services kn that account I can't afford to lose (guess part of the blame is on me for trusting the "pros", but what about casual users or seniors who don't have the skills to avoid/solve this? Why did I learn about the (possible) solution from some random, obscure post I accidentally found online? Of course, Microsoft's (lack of) handling of this problem was worthy of the earlier behavior that essentially caused it. Well, rants over. Good luck to everyone, I truly hope all of us can recover access despite Microsoft's worst effort.

P.S. You're welcome Microsoft. Who do I bill for my time?

reddit.com
u/anvoice — 2 months ago

More of a thought exercise at this point. Originally posted to r/Microsoft, but either they auto-delete support-looking posts in 30 seconds or I hurt some speed-reading mod's feelings.

A bot keeps doing an MFA exhaustion attack on my MS account. The interesting thing is that Microsoft allows this even though the bot keeps getting my password wrong. Not only is this rather unintelligent, it seriously confused me as I was looking at the signin history and finding nothing, prompting me to change passwords several times thinking I was hacked. The password was long and random, and this kept happening, so I eventually realized the bot cannot be guessing right and simply removed the prompt to log in from my Outlook app on my phone (did not know about the alias option at the time). This stopped the MFA requests. I forgot about this for a while. However, when I logged out of my Outlook app on my phone by accident, things got real fast.

Short aside: My email is linked to various services, and I receive important messages there all the time. I can't afford to lose it, and even a short temporary delay in accessing it is troublesome. I have a long, random password. I have 2FA enabled with multiple copies of the 2FA app in case I lose one. I have a linked email address for emergencies. I am quite computer-literate, but not a security professional, so it didn't occur to me to keep multiple passkeys to the account scattered around devices.

When I attempted to log back in, the MS account login page informed me that I tried to log in too many times with the wrong password. Obviously the bot is still at it. Ok, I recalled that changing the password seemed to allow me to bypass the cooldown timer. So I changed it successfully using 2FA and my linked email. I try to log in using the changed password. And now MS tells me the password is wrong. Mind you, not that the cooldown timer is still engaged. It specifically tells me it's wrong. So I proceed to repeat the process, until finally MS tells me that due to too many codes requested to the linked email, I can wait until tomorrow. Next day, I try a few more times. No luck. I go to MS account support and the bot (MS one this time) tells me nothing is wrong with my account. After following the merry-go-round that is their account signin "support", which repeats the same useless advice over and over, I come to the conclusion that my only option is to go through the account recovery process. Fortunately, I have access to my last logged-in instance of the account on a device (a PC with no passkey on it, so I can't use it to log in), so, following MS advice to answer the questions from a previously used device, I go to my phone and enter every bit of information they seek. Personal details, email addresses I sent mail to, verbatim email subject lines.

Radio silence for 3 days. Not even an acknowledgement that some process might be going on behind the scenes, leaving me guessing whether I shold repeat the attempt. Tried to ask a simple question about this on this subforum, and it tells me to go to the Tech Support one. That in turn tells me to get lost because it's an account signin problem, and that only MS can help. MS is nice enough to at least state somewhere that you're on your own if the account recovery process fails, but no further help is offered.

Meanwhile I need to travel and can't take my PC (the one with the last logged-in instance). I already couldn't use my account for things like setting up Tailscale (MS account is linked to it), which I was counting on, but now I have no more access to my emails at all. Absolutely randomly, in another despearate search on the web, I finally find a post where a user asks a similar question (different keywords used, so Google probably didn't consider it related) and some MS representative explains that in such a situation, you wait for 48 hours without trying to log in so as not to reset the lockdown cooldown timer, and only then change your apssword and make your next attempt. If that fails, you wait another week. The 48-hour, then 1-week wait if that fails are my only options at this point. I can only hope the bot, which will obviously keep trying to log in, will not reset the lockout indefinitely.

At this point, this is no longer a support post, so I feel it breaks no rules here. I know what to do, and I know that I get no help if that fails. Yes, the post is bitter, but I'm not asking for help. If someone needs to feel more significant by removing it, I frankly don't care. But I'm legitimately curious: is there a particular reason Microsoft hates its users this much? Or perhaps it's just that incompetent at problem-solving despite inflated budgets? Why do I need to get hammered with hacker MFA requests when the bot gets the password wrong in the first place? Why is there no protection against this? Why does the login information not help clarify what is going on at all, and why do I have to lose access to my account with an error message that essentially misstates the reason for the error, sending me on a days-long journey nowhere? I get actual support costs money, but why is there no transparency at all about whether my final (bot-inspected?) recourse option failed or not? And why do I find the information that might (or might not) help me get access to data and services I badly need and have gone to great lengths to secure (as far as my knowledge allowed at the time) in some random, singular post by complete accident?

I doubt this will gather any serious traction, but I'm posting it on the hope that it might. This problem was created out of nowhere by bad engineering and someone leaking data with users' logins and plain-text passwords (a phishing email I once got included an old but legitimate password for credibility), mixed with deceptive and useless error messages, plus no support on this issue whatsoever. If a fairly tech-savvy user can't even be sure if he'll ever get his account back after spending days struggling with this, what chance do casual or older users stand? I think Microsoft seriously needs to shape up and at least pretend to look out for users. I'm completely ready to engage in polite, constructive, thought-provoking discussion. I've plenty of time (at least 48 hours, plus possibly another week).

reddit.com
u/anvoice — 2 months ago