TL;DR My MS account was accessed and information reset by someone else and used to lock me out thanks to 2FA.

​

I have had the same MS account for over 10 years. I used it for XBox and Office, both of which I use regularly. I do not use my live.com account for email though. Wanting to protect my account, I set up 2FA as advised by Microsoft. This is a great idea when it's implemented the way my bank, credit card or anyone else does it.

Last month, on my way to work, I get a notification from Microsoft that someone has changed the phone number associated with my account. followed moments later by a notification that my alternate email has been removed and replaced with a Gmail account that I don't recognize. Shortly after that, I get another notice that the password has been changed. Once I get to work, I try to log in and then to reset the password, which of course I can't do because I don't have access to this other email and phone number, only the ones that have been removed by the intruder.

So I try to get support to help. They direct me to a form that only works IF you don't use 2FA. Then another account recovery form which has me wait 24h before they tell me that I don't have enough information after providing XBox device ID's, IP addresses, the last 4 digits of my CC number and so on.

Meanwhile whoever has my account has gone shopping for XBox Live gift cards. I call my CC company to report the fraud and they tell me that since I've used that same MS account in the past and the purchases are from there, they can do nothing aside from cancelling the card and I have to contact MS. I call MS to report the fraudulent purchases and they waffle about, don't issue refund and seem generally uninterested in being helpful. They tell me that to dispute the charges, I need to log in, which of course I can't do. They advise me to reset my security info and then dispute the charges...OK...that takes 30 days during which I can't access my account. No access to my XBox account...OK, that sucks, but I can deal with it. No access to my MS Office account is a bigger deal, since I have papers to write, but I can do that with my account through the university where I teach.

The 30 days are up...now what? I still can't reset my password without getting a recovery code from either the hacker's phone or email. MS just sends me a cheery email saying there was no evidence of account takeover and a link to the same account recovery process that doesn't work since I have 2FA enabled and then directs me to the process that requires a code be sent to the hacker.

I have no idea how they person accessing my account was able to change my information WITHOUT getting 2FA sent to me. Everywhere else has a way to establish my identity and restore access to far more sensitive and valuable information. Microsoft has failed me at every turn in this process.

As of now, I am out $74.97 for 3 $24.99 XBox Live gift cards, $99.99 for my Office 365 subscription and several hundreds of dollars on top of that in online games I've purchased over the past decade plus. As far as I can tell, Microsoft doesn't care at all.

If anyone here has read this far and has any suggestions for who to contact or how to resolve this, I'm all ears.