URGENT - Help Required - Hackers got my mobile number!

Hey all.

Really hoping someone can help with advice, please. I'm in the UK.

Hackers managed to pull off porting fraud and got my mobile network to send them a PAC code, which they used to transfer my number to a different network and now they control it.

I have secured all my important accounts with Google Authenticator, and my Microsoft (Outlook) account with Microsoft Authenticator. I also changed my phone number in my most important accounts so they can't get OTP SMS messages sent to them, and changed the password to something really strong and random.

My Outlook account is currently getting targeted with a ton of unsuccessful login attempts, one of which triggered the authenticator app (which I denied the request), which makes sense as the first thing they'd go for. As mentioned, I changed my password to be super strong, I replaced my phone number, I have Microsoft Authenticator installed and I have passwordless login enabled, so I need to use Microsoft Authenticator to login.

With all these changes to my Outlook account, am I right in saying I'm pretty secure from hacks? Or can they brute force somehow, even with the authenticator in use?

Would be great to get any advice on the best steps to take. I'm pretty on it with security and never click links in (unless I requested a password change or something similar). Pretty sure I was just on a list from a website breach that was sold on the dark web.

Thanks in advance everyone!

Contact your ISP and explain what happened, give them your old number and answer a couple security questions and they can deactivate it for you.
Other than that, you should be good if you have 2FA and new passwords
Sorry this happened to you man :/

Triplen said:

Contact your ISP and explain what happened, give them your old number and answer a couple security questions and they can deactivate it for you.
Other than that, you should be good if you have 2FA and new passwords
Sorry this happened to you man :/

Click to expand...

Hey buddy. I already contacted my network provider (Three) who were pretty useless. They said they raised a case with the fraud department and to call back in 24 hours. I did that, then they said to call back in 24 hours again! By this time it was too late.

Awesome, that's all I was concerned about, my email mostly (because they can find out everything if they access this), I figured without the mobile number they stole attached to the account anymore, and a new super strong password and the authenticator app, they wouldn't get in. But I'm not clued up on current hacking methods, I know there are a lot of smart people out there who can brute force even the strongest security methods and the biggest companies.

Thanks for your response, really appreciate it

robertson1587 said:

My Outlook account is currently getting targeted with a ton of unsuccessful login attempts,

Click to expand...

First thing you need to do is
Don't risk it, even with brute force
Go into https://account.microsoft.com/profile
Find where it says Account info
If you have Multiple Email Alias, then great, if not, go add one temporary.
After you have at least something besides your main one
Find the option Sign-in preferences
Should be right under it
Then inside it will list all your account alias
then at the bottom click

then untick all email address they are attempting to "sign in" to besides the one you want to "log into"
Keep that email 1000000% hidden and never use it or give it out.
Now, noone will ever know your email address to log into that account. (multiple address, but 1 inbox)
While all the "Unticked" still receive emails.

xReminisce said:

First thing you need to do is
Don't risk it, even with brute force
Go into https://account.microsoft.com/profile
Find where it says Account info
If you have Multiple Email Alias, then great, if not, go add one temporary.
After you have at least something besides your main one
Find the option Sign-in preferences
Should be right under it
Then inside it will list all your account alias
then at the bottom click
View attachment 252810
then untick all email address they are attempting to "sign in" to besides the one you want to "log into"
Keep that email 1000000% hidden and never use it or give it out.
Now, noone will ever know your email address to log into that account. (multiple address, but 1 inbox)
While all the "Unticked" still receive emails.

Click to expand...

Wow!!! This is amazing advice, thank you sooooooo much!!

Question, will this affect my account password or anything on the Microsoft Authenticator app?

Also, will this now make it impossible for anyone trying to sign into my original email address?

Thanks!

robertson1587 said:

Wow!!! This is amazing advice, thank you sooooooo much!!

Question, will this affect my account password or anything on the Microsoft Authenticator app?

Also, will this now make it impossible for anyone trying to sign into my original email address?

Thanks!

Click to expand...

xReminisce said:

First thing you need to do is
Don't risk it, even with brute force
Go into https://account.microsoft.com/profile
Find where it says Account info
If you have Multiple Email Alias, then great, if not, go add one temporary.
After you have at least something besides your main one
Find the option Sign-in preferences
Should be right under it
Then inside it will list all your account alias
then at the bottom click
View attachment 252810
then untick all email address they are attempting to "sign in" to besides the one you want to "log into"
Keep that email 1000000% hidden and never use it or give it out.
Now, noone will ever know your email address to log into that account. (multiple address, but 1 inbox)
While all the "Unticked" still receive emails.

Click to expand...

Update, I did it successfully. Can't thank you enough for this info, pure gold! Never heard of this before, but probably the single biggest way to secure an account I've ever heard of!

robertson1587 said:

Wow!!! This is amazing advice, thank you sooooooo much!!

Question, will this affect my account password or anything on the Microsoft Authenticator app?

Click to expand...

Your password is still the same password, the only difference is, now the email you can use to sgn in is only the one you "ticked" or selected. This can be either an email or a phone number (I would advise not to use a phone number as a sign in info)
Also, you can litearlly change this anytime you want, just need to delete an alias email and add a new one (there is a limit though for example, maximum add 2 per week or something like that).
So if you ever feel like that username email has been compromised, add a new alias email using the same instructions as above and delete the compromised one.
Once you delete an alias, you won't be able to receive any emails from it anymore (which doens't matter, since that was never shared to begin with so you shouldn't be receiving emails from it).
Further, any email elias you ever added to your account, even after deletion, cannot be recycled by another microsoft account. Only you can re-add it later on (although there is no way of seeing a list of emails you added before in the past).

Your microsoft Auth App is still the same, because techncially it is still the 1 account. It is just an "Alias" added ontop so it won't change anything for you.

robertson1587 said:

Also, will this now make it impossible for anyone trying to sign into my original email address?

Click to expand...

Any email that is not "ticked" to be able to use to log in, cannot be used to log in.
When attempting to log in, it will show this error.

They will "know" this is a real email, but they won't ever know, what the actual email that can be used to sign in actually is.

Hope this helps !!!