Share via

Account with 2 step verification has been hacked

SR 0 Reputation points
2026-04-09T11:30:38.4333333+00:00

I got scammed by a phishing text. Entered email and phone number before realising it was a scam. My account has 2 step verification, was set up ages ago and clearly I didn’t understand what I was doing as I used the same mobile number twice (the one I gave out). I seem to be locked out and cannot change anything. Password not working, can’t do reset link. There is an issue with biometrics and passcode too so completely lost as to what to do. I cannot seem to find anywhere where I can speak to someone. Done the recovery form about 4 times but no response. It does state it won’t work for 2 step verification accounts but doesn’t say what I should do. Had to set up a new email just to access this q&a.

totally feeling like someone is scamming me and I cannot do anything about it. Any suggestions will be greatly appreciated.

Outlook | Web | Outlook.com | Account management, security, and privacy
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. DaveM121 862.2K Reputation points Independent Advisor
    2026-04-09T12:12:56.0233333+00:00

    I wish I had better news, but when a Microsoft account is hacked, if the hackers change the associated recovery options like the Email or if 2FA is enabled on the account, then that account is usually no longer recoverable, this forum is just a user to user account and no-one here has any account access, try using the process they provide on this link to recover a hacked account, if this process is not successful, sadly, that account cannot be recovered.

    https://support.microsoft.com/en-us/account-billing/how-to-recover-a-hacked-or-compromised-microsoft-account-24ca907d-bcdf-a44b-4656-47f0cd89c245

    0 comments
  2. Q&A Assist
    2026-04-09T11:31:04.11+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    For a personal Outlook.com / Microsoft account that has two-step verification enabled and is now locked after a phishing scam, only the official automated recovery paths can be used.

    Key points from Microsoft’s guidance:

    1. When two-step verification is turned on and no verification method is accessible
      • If two-step verification is enabled and none of the alternate methods (phone, email, Authenticator, security key, etc.) can be used to receive or approve a verification, Microsoft support cannot override this.
      • Support agents are not allowed to send password reset links, change security info, or bypass verification for security reasons.
      • This is explicitly stated in the account recovery documentation: if two-step verification is on and no verification method is available, the account cannot be recovered by support.
    2. Account recovery form behavior
      • The Microsoft account recovery form is the only self-service option for locked or hacked consumer accounts.
      • The documentation notes that the form does not work for accounts where two-step verification is enabled and the user cannot access any verification methods.
      • Submitting the form multiple times will not change this limitation; the system will continue to reject recovery if it cannot verify identity with the configured 2-step methods.
    3. What can still be done
      • Use the Sign-in Helper tool first to confirm the available options and see if any recovery path remains: Sign-in Helper.
      • If the account is considered hacked or compromised, start from the hacked-account helper: Start. This may route to self-help or a chance to talk to an agent, but the agent still cannot bypass two-step verification.
      • If any old device, phone number, or email that was ever set up as a verification method is still accessible (even if forgotten), attempt sign-in and choose “I don’t have any of these” only after exhausting all options; if one method works even once, immediately:
        • Change the password.
        • Review and remove any unknown security info, sign-in aliases, and devices.
        • Turn on safer methods such as Microsoft Authenticator or passkeys.
    4. If no verification method is available at all
      • If two-step verification is on and every verification method (phone, email, app, security key) is either lost, compromised, or unreachable, Microsoft’s documentation indicates there is no supported way to regain access.
      • In that case, the practical steps are:
        • Treat the old account as permanently lost.
        • Inform contacts (from another email, phone, or social channel) that the old address is compromised and should be ignored.
        • Update email addresses on banks, services, and subscriptions to the new account.
    5. Preventive measures for the new account
      • Enable two-step verification but ensure multiple, independent methods are configured (e.g., Authenticator app on a secured device plus a different phone number or email).
      • Consider going passwordless using methods like Microsoft Authenticator, Windows Hello, or security keys as described in the two-step verification guidance.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.